A lot of really terrible takes in this comment section. Telegram didn't have encrypted groups by default, and telegram possessed a lot of content on their servers that they had been made aware was illegal and didn't cooperate. Nothing more, nothing less.
The comparisons to other providers is off base because either other providers are cooperating more when they possess actionable, unencrypted information and taking steps to detect or prevent such recurrences or they are like Signal and do not have access to the underlying material in the first place or store it for very long anyway.
One cannot legally run a hosted, unmoderated content platform in the developed world, one will always be required to remove illegal materials and turn over materials in cooperation with law enforcement.
> One cannot legally run a hosted, unmoderated content platform in the developed world, one will always be required to remove illegal materials and turn over materials in cooperation with law enforcement.
Just would like to clarify, Telegram does take down channels/bots in some cases including copyright infringement. The only bots I’ve dealt with were music downloaders so I don’t know much about other kinds of takedowns, but it’s wrong to say that telegram doesn’t/didn’t take down material. Perhaps not enough or frequently enough, and I certainly don’t condone immoral activities- but they do do it sometimes.
They do it whenever the risk of Apple or Google kicking them out of their respective app stores becomes too great. That's presumably the only entities they take content moderation input from.
This is a fantastic case of hypocrisy here. I personally see Facebook ads for illegal drugs at least once a week, and nothing happens. I even stopped reporting it because it was obviously pointless. Why? Because Zuck is "our son of bitch".
He's been publicly chewed out at hearings by U.S. Senators, at least on the Republican side, for things like that. But the senate apparently doesn't have the power to do anything about it, or at least prioritize it with the rest of what is on their plate. I agree though that if Zuckerberg had been a Russian citizen, France probably would have arrested him too.
Terrible takes notwithstanding, of which there are many, the issue I see with such arguments is that it's always possible to find legal violations that technically justify prosecution or imprisonment. However, the legal system only functions effectively if we trust that those handling the gray areas are motivated by the common good, rather than serving the interests of a select few or protecting an elite minority. Simply focusing on the arrest and comparing it to the alleged criminal activities on Telegram, along with the supposed lack of enforcement by the company, seems like turning a blind eye. It ignores the more likely reality that this is part of a broader effort to establish a censorship regime, with platforms like TikTok, X, Telegram, and Rumble already targeted. Accepting the official narrative and pretext at face value feels, frankly, a bit naive.
It's important to note that he has only just been arrested, so there will be a case laid out, a defense offered, facts tried, and ultimately a conviction or not. I don't find a lot of sense in speculating about why or why it didn't happen as that will presumably be surfaced during the trial itself. Such events may or may not be followed up on HN as most of time these things turn out to not be wide ranging conspiracies but more mundane wrong-doings or acquittals based on facts presented and mundane things do not get clicks.
The motivations for arresting/prosecuting a person does not usually come up in a trial. Trials usually just present evidence of why this person is supposed to be convicted/guilty, but seldom give insight to the broader picture of why this person was "chosen" while the others are not.
I also disagree with the characterization of the discussion as "wide ranging conspiracies"... voicing concern over a government arresting a major online platform that is well known for minimal censorship shouldn't be labeled as conspiracy theories.
The motivation can come up discovery though. If there is something nefarious, you would expect the defense to bring it up during pre-trial motions (which are public, just not presented to the jury). The defense also has wide lattitude to bring up such issues to the jury (although they are often limited in what they can argue about it).
In some cases, selective prosecution is itself a defense; but (as you allude to) that is a very high bar for the defense to clear.
The actual cause of the investigation is unlikely to come up during discovery or the trial. This is because of Parallel Construction [1]. Here is the first paragraph of the Wikipedia article to explain:
> Parallel construction is a law enforcement process of building a parallel, or separate, evidentiary basis for a criminal investigation in order to limit disclosure as to the origins of an investigation.
Parallel construction is about hiding methods, not motives or the actual transgression. What you’re describing is simply abuse of power: the cops don’t like the beat you’re reporting so they start ticketing you for going two over the speed limit.
I would argue that hiding methods is one way to obscure motives of those building the case against a defendant.
The specific discussion was related to a "wait-and-see" attitude in regards to the motives of the justice system of France (not the motives of the alleged perpetrator). The suggestion was that if this was politically motivated then that motive would be revealed once the discovery process began. However, if the French legal systems wants to hide a political motivation then they can use parallel construction to hide their methods, thus obscuring their motives.
Also, I didn't "describe" anything. I pointed to a Wikipedia article that, in part, declares parallel construction as supported by the Supreme Court of the US. So, at least in US law, it is not at all an abuse of power but rather a totally valid approach that law enforcement can take to build a case against someone. The entire reason I even know the terms is because it showed up so often in the TV show Law & Order.
I guess you have a point, but I think the specifics depend on jurisdiction.
That said, the defense can say whatever they want about what they perceive as selective prosecution... but how do they know? It's not like they would have more knowledge about the prosecution's thought process than the average conspiracy theorist?
> [...] telegram possessed a lot of content on their servers that they had been made aware was illegal and didn't cooperate.
Do we know this for sure? What are the sources?
If that were true — then it surely would be less surprising, and even expected, but I would argue it's still bad: first because encryption would lead to the same result (as you point out) and second because what's illegal is often a matter of perspective: Telegram had content that was illegal in Russia, and didn't collaborate.
>One cannot legally run a hosted, unmoderated content platform in the developed world, one will always be required to remove illegal materials and turn over materials in cooperation with law enforcement.
One can. I think you're confusing censored with moderated. Google, Facebook, Instagram, etc. aren't moderated. They're censored. They refuse to moderate or not moderate. Censorship is a form of moderation, but it itself isn't enough to be considered moderated. Censorship is enough to make it not unmoderated though.
> One cannot legally run a hosted, unmoderated content platform in the developed world, one will always be required to remove illegal materials and turn over materials in cooperation with law enforcement.
Should you remove e.g blasphemy which is illegal in many countries including some of what I assume you call "developed world"?
If you are a multi-national with a legal presence in that country you likely have the resources to engage local counsel in answering that question and to assist in understanding the legal risks of various business decisions.
I don't ask for legal advice, I ask you how do you imagine the "always remove illegal content, easy" part of your plan to work? There's no common definition of what is legal. E.g do you suggest removing content if it's illegal anywhere in the world?
This really isn't a difficult question to answer: You remove the smallest subset of content such that you are allowed to operate in the markets in which you plan to operate/have a business presence in/plan to visit.
That's an imaginary simplicity since there is no such thing: determining a subset requires very high certainty in the rules (to be able to apply them and not run afoul), which doesn't exist in any real legal system
The defendant in question is a French citizen, being arrested in France, so if I were similarly situated I would expect to follow French law at a minimum.
My answer wasn't intended to be dismissive, truly, the answer will be specific to ones legal situation and the jurisdictions they plan to operate in and are best answered specifically by competent counsel in those jurisdictions after considering ones specific facts. Asking if ones should comply with laws "anywhere in the world" is not a useful question by itself.
Why would you not ask for legal advice on potential legal issues when registering users from countries you do not operate in? That is the only way you can understand the definitions of what is and is not legal in those countries.
I've never ran a web service personally, but to me it seems blocking access from UK, FR, DE is going to be the real long-term solution. Direct user participation from those regions are irrelevant anyway. That's going to narrow the problems down into actually working with police agencies in good faith and bypassing payment processors moral policing.
You should certainly have a formal process to respond to those countries’ requests, and you might consider technical architectures that don’t leave you in direct custody and control of that content in the first place.
> You should certainly have a formal process to respond to those countries’ requests
Mere responding is evidently not enough, you need to cooperate.
> you might consider technical architectures that don’t leave you in direct custody and control of that content in the first place.
This rules out the "public channel" feature.
Essentially what you say boils down to a global publishing platform being impossible nowadays without random and contradictive censorship acts.
While this is probably true, I definitely don't share the "yeah throw him to jail" sentiment. On the contrary, I miss very much the truly global Internet of early 2000s. If this was possible back then, it must be, generally speaking, possible? Are we going to see anything like this again in our lifetimes?
> Mere responding is evidently not enough, you need to cooperate.
Only if the request is coming from a country with a lot of power to effect its judgments internationally, or from a country you plan to personally visit. Whether or not you agree with it, ignoring legal requests from the US, China, and the EU (and debatably some other countries), isn't really an option in this day and age.
Until you wanted to visit a small country on vacation and forgot you ignored their court order 4 years ago.
Or you visit some random country and didn't check the extradition treaties they have with some other country you thought you'd never visit.
Or maybe new extradition treaties (yay!)
The sad conclusion I'm seeing in this story is: If you make an internet service, it's safer to just block off all the countries except the specific ones you're planning to operate in.
We need forums in my town. Anyone can set one up in minutes if it has already been done. But even if the site is about engines, you can't be sure that some data is not what it seems. It could be a plot to burn down Parliament, or it could offend people from a peaceful country who humbly want to reconstruct the map of the world back to 100 BC.
You just don't know. And so we do not even have a single local forum.
I am pretty sure that aiding criminal activity or child pornography are illegal in more countries than not, which are on the list of charges, and can be expected to do against from anyone, and ontopic here. Unlike blasphemy.
Telegram has been operating for years and did not change recently to justify such an action yesterday. There's something more certainly. Maybe they did not comply with requests related to recent war in Ukraine or genocide in Palestine ?
The initial investigation which triggered the arrest was made by the OFMIN ("Office spécialisé dans la lutte contre les violences faites aux mineurs" basically the government branch tracking and fighting CSAM).
Supposedly, Telegram (and by definition of the french law, the CEO) did not respond to requests for takedown of harmful content (or not enough or faster?) from the the OFMIN. This triggered another investigation looking globally at how Telegram handle content moderation on the public part of Telegram (Channel) which lead to all others charges of complicity.
This is basically the CEO taking the fall because the (unreachable by french law) Telegram company is not on french soil and he made the mistake on landing here.
Telegram always elicits bizarre reactions from the public. On one side there’s actual security professionals saying don’t use Telegram because it’s not fully E2E encrypted, and on the other side there’s people who are convinced that it’s secure because Marketing and that there’s this big conspiracy to stop people from using Telegram.
The real conspiracy theory is: Telegram have never made any attempt to either implement full E2E or to dissuade their users for using it for politically sensitive messages. Why not?
> The real conspiracy theory is: Telegram have never made any attempt to either implement full E2E or to dissuade their users for using it for politically sensitive messages. Why not?
Could be something nefarious or could be because not doing things is easier than doing things. Why bother if the existing conditions are just fine (for Telegram)?
I sincerely doubt that Telegram makes most of it's money by being this kind of host. I don't generally give the government the benefit of the doubt when it comes to _communication_ platforms. I also see zero evidence that Telegram's existence or policies help promote or create crime in any way.
It's not conspiratorial to refuse to show deference to the government which currently only has vague accusations to justify jailing a CEO. If the French government was so concerned about the criminal aspect then they should just order Telegram to not operate in France or they should work to block it at a national level.
The problem, the reaction, and the solution are not at all aligned here. Why anyone would jump in to defend the government's actions is absolutely beyond me.
> "which currently only has vague accusations to justify jailing a CEO"
If they are charging him and intend to convict, they have specific accusations, unless the French legal system is much different than the rest of the western world.
> "If the French government was so concerned about the criminal aspect then they should just order Telegram to not operate in France or they should work to block it at a national level."
Many governments with anti-CSAM laws exercise universal jurisdiction in those statues (i.e. they will to prosecute anyone for those crimes regardless of where they were committed and regardless if the person in question is a citizen), that being said it isn't entirely relevant here since the defendant is a French citizen. I would fully expect a government with CSAM accusations to prosecute those involved in facilitating such not just "block" them.
It's worth noting that the person in question was just arrested, so the trial hasn't happened yet, and yes the government could be full of shit, that would presumably come out at trial as dropped charges or an acquittal.
Precisely. So the constant need for people to gatekeep in here and chastise other people for having a negative view of the French government's actions is, to me, absurd.
> and yes the government could be full of shit
Yes. That's the assertion based upon the balance of history and probability and the complete disconnect between these actions and actual law enforcement outcomes.
> that would presumably come out at trial as dropped charges or an acquittal.
That doesn't mean we can't have a discussion about it.
> I sincerely doubt that Telegram makes most of it's money by being this kind of host.
One thing I did find suspicious about Telegram was that accounts that are restricted for "spam" can create a new account and pay for a premium license to remove the restrictions on the new account. Seemed like a racket to me.
ultimately this fight against unmonitored messaging is going to be a lost one for the developed world. people who want encrypted group chats will get them
As I hinted at earlier Signal does not have this issue because generally they are not aware of the underlying content. Even if Signal becomes aware of said content, it likely isn't hosted on their servers anymore as their store and forward system is highly transient. The most signal could do is be compelled to block specific users and maybe shutdown certain groups (not sure on that last one, would have to review the group architecture)
Precisely my point - moderated messaging in the modern era will ultimately be unenforceable.
Which is why I don’t see why certain services should be legally penalized just because they don’t happen to be E2E encrypted. Like if Telegram was instead e2e encrypted, why should that be legal if what they were previously doing wasn’t?
1) On the technical side, Telegram groups operate more like a bulletin board, content is posted and can be fetched over and over again, a bulletin board owner can be compelled to remove material and if non-cooperating considered to be facilitating. Signal is more like a conversation in the town-square or a letter box of sealed envelopes. Once the content is fetched, it's gone. If signal is made aware that certain envelopes contain material that needs to be removed, I'm sure they would do so provided they still possess them.
2) On the non-technical side, many countries have crimes that are all about who knew what and when did they know it and could that have acted (or did they have a duty to do so). Facilitating, accessory, accessory after the fact call it what you will but that's more of a legal / philosophical argument to be had about the legal system in general rather than telegram specifically. A situation were telegram was made aware of illegal activity and was hosting said content in the clear and did nothing is manifestly different from a case where those facts did not exist, in most legal systems.
So essentially what you are saying that because we couldn't catch the smart criminals who use e2e encrypted services we shouldn't catch the dumb ones either?
They made a claim that Telegram are particularly unresponsive to legitimate requests from various law enforcement groups which as a statement goes isn’t particularly controversial.
I posted this else ITT, but whats your opinion on the following (I have NO opinion - as I cant verify any facts about anything - so I am just an Observer of the events and what people are saying:)
>This reminds me of the entire plot to the last of the Bourne movies, Jason Bourne, where there is a scene of the head of some intel agency (Tommy Lee Jones) propositioned a social media founder to give them backdoor access or he would be killed. Great movie.
A lot more and a lot less than that. Arresting this CEO in France is largely a political decision, not a politically neutral enforcement action against the Telegram platform.
They don’t perform the same enforcement against other entities they could go after.
How is it not just a neutral enforcement action against the Telegram platform? The Telegram platform knowingly hosts illegal content in unencrypted format and does little to moderate that, which is illegal in many countries. The CEO is accountable for how the company operates and what happens on the platform.
If Telegram breaks the law - which it does - it’s completely logical that the CEO is held accountable for that and is arrested
Why are these service providers being punished for what their users do? Specifically, these service providers? Because Google, Discord, Reddit, etc. all contain some amount of CSAM (and other illegal content), yet I don't see Pichai, Citron, or Huffman getting indicted for anything.
Hell, then there's the actual infrastructure providers too. This seems like a slippery slope with no defined boundaries where the government can just arbitrary use to pin the blame on the people they don't like. Because ultimately, almost every platform with user-provided content will have some quantity of illegal material.
Dotcom got extradited (which was declared legal much later). Durov landed in a country that had an arrest warrant out for him.
I hope his situation isn't similar to Dotcom's, as Dotcom was shown to be complicit in the crimes he was being persecuted for. Convicting the megaupload people would've been a LOT harder if they hadn't been uploading and curating illegal content on their platform themselves.
As a service provider, you're not responsible for what your users post as long as you take appropriate action after being informed of illegal content. That's where they're trying to get Telegram, because Telegram is known to ignore law enforcement as much as possible (to the point of doing so illegally and getting fined for it).
> the operators of the messenger app Telegram have released user data to the Federal Criminal Police Office (BKA) in several cases. According to SPIEGEL information, this was data from suspects in the areas of child abuse and terrorism. In the case of violations of other criminal offenses, it is still difficult for German investigators to obtain information from Telegram, according to security circles.
> two popular chat services have accused each other of having undisclosed government ties. According to Signal president Meredith Whittaker, Telegram is not only “notoriously insecure” but also “routinely cooperates with governments behind the scenes.” Telegram founder Pavel Durov, on the other hand, claims that “the US government spent $3 million to build Signal’s encryption” and Signal’s current leaders are “activists used by the US state department for regime change abroad.”
I suspect most Tor exit nodes are controlled by the US government and/or its allied governments. It doesn't make much sense for anybody else to run an exit node because your IP gets banned by much of the internet and you get unwanted visits from law enforcement.
"What kinds of people operate tor exit nodes and why do they do it" is one of those questions that I know I'm not even supposed to admit being curious about, let alone ask, in the company of people who are most capable of accurately answering.
According to the more detailed news sources I can find about this, it seems he knew the French were looking for him. I don't know if he knew about the contents of the warrant, but it does seem he knew the authorities were planning to arrest him.
From what I can tell the warrant has been out for longer, but he was arrested when the airport police noticed his name was on a list. There's not a lot of information out there, with neither the French authorities nor Telegram providing any official statements to the media.
The Sud-Ouest article must have been updated because the version currently online does not mention that at all. Quite the opposite, the article quotes an official that was surprised that Durov would come to Paris anyway even though he knew he was under an arrest warrant in France, and another source says that he might have decided to come in France anyway because he believed he'll never be held accountable.
really? we seal warrants in the US all the time - we don't want people who we are trying to apprehend to always know ahead of time we are trying to apprehend them
You're somewhat mistaken. In the U.S., you aren't owed a warning that the cops are looking for you, especially if you're a flight risk. That was never part of it.
There are also valid reasons the other way, like consulting an attorney to challenge the warrant or prepare a defense before it gets executed, disrupts your life and prevents you from clearing your name because you're being incarcerated without bail. It's hard to investigate the charges against you from a cell.
Or the ability of journalists to inform the public of what the government is getting on with in their name. If the government is investigating their critics they have no right to keep it a secret.
That inconvenient bill of rights keeps us a step or two behind the rest of the anglosphere in decent to tyranny, but only for so long. It just takes a handful of dishonest judges to claim some right actually means something entirely different.
> Because in your eyes it is so gradual the difference between it's happening slowly and not happening at all is imperceptible and impossible to prove.
It's extremely straightforward to prove. You look at the laws that have been passed and the court opinions issued in the last 30-60 years.
Fuck around and find out. If he legitimately ignored legal French documents forcing him to share information, as the French have declared, he's got got.
You don't step foot on a country with an extradition treaty, even less so the country itself, where you're flouting their warrants for your company's data.
Despite having lots of treaties agreeing to extradition in principle, the UAE is somewhat notorious for never extraditing anybody anywhere in practice.
1) There was an order signed recently. He has not physically left NZ yet.
2) He's not convicted, he hasn't been in front of a judge for the charges against him
> Convicting the megaupload people would've been a LOT harder if they hadn't been uploading and curating illegal content on their platform themselves.
This is just a gimmick to bamboozle judges and the public. The ploy is to claim that someone is guilty of serious offense A because you proved they committed less serious offense B, even though the offenses have different elements and penalties.
They use the ploy because any large organization by definition has a lot of people in it and copyright infringement is pretty common, so by the law of large numbers somebody in the company is probably doing it even if the company doesn't want them to and then the prosecutors want to claim that the company as a whole is doing something wrong and has to be shut down. Which doesn't make any sense when another company is just going to provide the same perfectly legal service and the users are going to use it for the exact same thing.
Moreover, the obvious way for companies to prevent this -- indeed, the thing Megaupload's replacement started doing after the original was shut down -- is to encrypt everything so their employees have no access to it. Which I have no objection to, but if courts and prosecutors like to be able to issue a subpoena and actually get something back, they might want to reconsider turning the ability of a company to access data into a liability.
Watch his interview with Tucker Carlson and you’ll see. He doesn’t acquiesce to government requests for moderation control, censorship, and sharing private user data so they target him. He refuses to implement backdoors as well. In stark contrast to western social media companies.
When an authoritarian govt is calling for the release of someone who runs a "private" messenger, it suggests they have a back door. Otherwise they tend to oppose all private messaging.
No, there is no logical link between the two events. Russian govt can protest that for propaganda reasons: to make a point that Western governments are restricting freedom of speech.
They're hitting that Uno Reverse card. Tbf, the US does a LOT of the stuff that we openly criticize Russia and China for. Which, I would hope that people have enough insight to recognize that this is a bad thing across the board. The only people who get hurt and face consequences from this kind of a thing are the citizens.
This is a key perspective people fail to take into account. We've been conditioned by movies, books etc to think everyone fits into these black and white "good and bad" categories.
Most western countries do horrific things we do not find acceptable, but when we do find out we hand wave it away because they're the "good guys".
They don't tend to care until large enough quantities of people start listening despite whatever filters (i.e. de-ranking social media posts) and countermeasures (i.e. cable news assets) are put in place before it gets to that point. Then they very likely have the ability to label it as misinformation and find a legal reason to prosecute under a number of broad categories: https://www.thefederalcriminalattorneys.com/false-informatio...
It came very close to this during Covid, and maybe once or twice since then.
You're free to say what you want, and everyone is free to ignore you if what you say doesn't jive with "common sense".
No. What would be illogical is to assume that because Russia might be motivated to protest for the sake of propaganda, that it is not also, or instead, motivated by not wanting to lose access to a hypothetical backdoor.
I don't completely buy the fact that he was arrested because he didn't cooperate with authorities. World Police forces have an history of infiltrating criminal groups and gaining their trust; planting backdoors isn't the only way they can investigate people.
Also, this way they're yelling loud to these people "hurry! pick another platform!".
And then, he is also on Putin's wanted list; his arrest could one day turn him into a valuable bargaining chip.
Also now they have added “because people watch football matches illegally on Telegram”. So they are going to throw everything at kitchen sink at Durov, probably also national security issues because anti-French political groups use Telegram in Africa.
It is still not backdoor, sorry, you are completely mistaken.
They came - tried to come - in the front door openly (the expression of back door means completely different, just look it up and you will see) to catch criminals, doing well known and prominent criminal activity, but the Telegram decided to protect the criminals instead. You can try to smear in whatever imaginative reasons behind when the reason are in the front of your face, like it or not, it does not matter if you like it or not! Also how much people like the Telegram because 'it is soo user friendly and pretty', not in pair with serious crimes committed and aided there, completely not!
Also it is still the investigative phase but the suspicion is warranted completely.
I seriously do not understand low moral people shielding those helping criminals, do you really not knowing what are you doing, seriously, just because there is a - misleadingly presented - popular service there? Really? Very worrying the moral state of social media user masses.
Telegram publishes open-source clients that can run on open-source platforms. Signal does not offer any client that doesn't depend on proprietary code (either iOS or Google Play Services) and is aggressive about taking down third-party builds that remove that dependency. I'd say there's a lot more reason to assume Telegram is not wilfully backdoored than Signal (though I'd trust Wire or Matrix ahead of either of them).
We have no real way to check for backdoors in Signal either. Signal is not transparent about what code their servers are running, and you are not allowed to start your own server with a known version. They do not allow for independent distribution of reproducible builds on F-droid, or any other application store that does not identify you. They will take steps to lock out any independent implementations of the client from their servers. That the code for their client is released is good, but not good enough.
Huh, I was going to point out that the Signal server isn't Free Software either, since for a while it wasn't being published, but it seems they have gotten back into publishing it.
while it's amazing for them to keep maintaining it, as the person mentioned down the thread, it's hard to know what they are actually running, right? and it's not a lot of work to patch this or clone/branch as necessary before deploying. Oh well, i already resigned that a part of my life will be run by someone else by now.
Publishing server code provides no assurance of anything (although it is still nice, for other reasons) since nobody can know if what they (for any "they") run in production is the same as the public source.
Open client code and documented protoccols are much more important. If you can compile your own client from open source code and it works fine, then you can know for sure what you're sending to the server.
If you bothered to look, you would find that both of the examples given are open-source servers. You might then deduce that you misunderstood the comment to which you replied.
You cannot audit the system/service logs for those servers, neither can you audit the hardware running those servers, nor the internet providers who can snoop on the traffic et al... That's the argument behind "Open source server" in case it wasn't clear.
This might be where the misunderstanding is. This software is indeed server software that anyone can run, and the global network consists of servers run by many independent entities, in many cases with full control of the hardware. One of these entities can be you, and it is completely possible to run from home.
The integrity of your conversation with someone would then depend on both your endpoints, clients, and the respective server.
Just like email, but for chat. There is no single gatekeeper who is allowed to use the network.
No misunderstanding at all. The argument is very clear.
> global network consists of servers run by many independent entities
This is not the case for all the popular chat apps including Signal which uses centralized servers which they run themselves. They clearly see little benefit from this distributed independent server model.
And even that doesn't mean the server is open source.
As I explained earlier if you cannot audit the physical server you are connected to, claiming it's open source is useless. FYI that's literally how the term open source was used in this context!
> The integrity of your conversation with someone would then depend on both your endpoints, clients, and the respective server.
Client to client verification simply works and eliminates the need to also "verify" the server which if compromised introduces an even higher risk of contamination in the trust model (too many co-dependent functions are delegated to the server), not to mention collusion in establishing integrity of yet another device that we need to trust.
Not sure what part of my comment amused you so much.
An IM platform server can be open sourced. Just like any kind of software.
It's just a matter of publishing your code and, preferably making it possible to verify that the service your users are connecting to is build using the same published code.
How could you possibly verify what code they are running server-side?
Typically, the way it goes is that you implement e2ee such that even a fully compromised server cannot read the clients messages, publish the client's source code, and build it yourself or use reproducible builds. That ladt part is where you can criticize Signal. Whether they publish the server code is mostly irrelevant unless you want to run a separate messenger infrastructure.
> unless you want to run a separate messenger infrastructure.
Or if you S2S federate with the upstream server. Which is a core differentiator of XMPP and Matrix. Signal server(s) notably supported proper federation during their initial growth-phase but famously closed it off ("The ecosystem is moving").
Similar story as Google [Chat/Talk/Hangouts], which did federate over XMPP before they closed that down years ago.
Which government? There has been a lot of mysterious deanons of protesters in Belarus in 2020. You know, the kind of deanon where armed people break down you door and you're going to be beaten and tortured for several days in the very least.
In practice it is very easy to deanon using social engineering.
It is enough to open a shared link to expose your IP. A lot of people would click something like "Belorussian protestors got deanonized" or "10 ways to keep you safe" in a group chat. Just get it a catchy title. And this link is specially crafted to lead to the exposer server.
Who would watch an interview being held by a crazy person and take it at face value? Anyone with half a brain would avoid watching or listening to Tucker Carlson like the plague.
This distinction gets lost in these discussions all of the time. A company that makes an effort to comply with laws is in a completely different category than a company that makes the fact that they’ll look the other way one of their core selling points.
Years ago there was a case where someone built a business out of making hidden compartments in cars. He did an amazing job of making James Bond style hidden compartments that perfectly blended into the interior. He was later arrested because drug dealers used his hidden compartment business to help their drug trade.
There was an uproar about the fact that he wasn’t doing the drug crimes himself. He was only making hidden compartments which could be used for anything. How was he supposed to know that the hidden compartments were being used for illegal activities rather than keeping people’s valuables safe during a break-in?
Yet when the details of the case came out, IIRC, it was clear that he was leaning into the illegal trades and marketing his services to those people. He lost his plausible deniability after even a cursory look at how he was operating.
I don’t know what, if any, parts of that case apply to Pavel Durov. I do like to share it as an example of how intent matters and how one can become complicit in other crimes by operating in a manner where one of your selling points is that you’ll help anyone out even when their intent is to break the law. It’s also why smart corporate criminals will shut down and walk away when it becomes too obvious that they’re losing plausible deniability in a criminal enterprise.
What do you mean "look the other way?" Does the phone company "look the other way" when they don't listen in to your calls? Does the post office "look the other way" when they don't read your mail?
That guy who built the hidden compartments should absolutely not have gone to jail. The government needs to be put in check. This has gotten ridiculous.
If the police tell them illegal activity is happening and give them a warrant to wiretap and they are capable of doing so but refuse then yeah they’re looking the other way. That’s not even getting into things like PRISM.
If you know your services are going to be used to commit a crime, then yes, that makes you an accessory and basically all jurisdictions (I know basically nothing about French criminal law) can prosecute you for that. Crime is, y'know, illegal.
I'm appalled that you would argue in good faith that a tool for communicating in secret can be reasonably described as a service used to commit a crime.
Why aren't all gun manufacturers in jail then? They must know a percentage of their products are going to be used to commit crimes. A much larger percentage than those using Telegram to commit one.
> I'm appalled that you would argue in good faith that a tool for communicating in secret can be reasonably described as a service used to commit a crime.
The usual metaphor is child pornography, but let's pick something less outrageous: espionage. If a spy uses your messaging platform to share their secrets without being detected & prevented, that's using the service to commit a crime. Now, if you're making a profit from said service, that doesn't necessarily make you a criminal, but if you start saying "if spies used this platform, they'd never be stopped or even detected", that could get you in to some serious trouble. If you send a sales team to the KGB to encourage them to use the platform, even more so.
Gun manufacturers have repeatedly been charged with crimes (some are currently in court). I'd argue that messaging platforms have, historically, been less likely to be charged with crimes.
The second amendment gives weapon makers some extra protection in the US, but they do have to be very careful about what they do and do not do in order to avoid going to jail.
> They must know a percentage of their products are going to be used to commit crimes. A much larger percentage than those using Telegram to commit one.
Do you have the stats on that? I don't, but I'm curious. While I don't doubt the vast majority of people using Telegram aren't committing a crime, I know that the vast majority of people using guns also aren't committing a crime.
> I'm appalled that you would argue in good faith that a tool for communicating in secret can be reasonably described as a service used to commit a crime.
That's because you're assuming facts not in evidence and painting the broadest possible argument. Obviously we don't know the details yet, but it's not unlikely that this situation was a bit more specific.
Consider:
F: "We want you to give us the chat logs of this terrorist"
T: "OK!"
F: "Now we need you to give us the logs from this CSAM ring"
T: "No! That's a violation of their free speech rights!"
You can't put your own moral compass in place of the law, basically. That final statement is very reasonably interpreted as obstruction or conspiracy, where a blanket refusal would not be.
You are right; the arrest might be legal and even morally justifiable.
However, I still argue that wanting to provide secret communication (which Telegram actually doesn't do) is not abetting crime or helping it more than any other product.
In fact, in my humble opinion, it's the opposite: Private communications are a countermeasure against the natural tendency of governments to become tyrannical, and thus maintaining one is an act of heroism.
> Private communications are a countermeasure against the natural tendency of governments to become tyrannical, and thus maintaining one is an act of heroism.
That's an easy enough statement in the abstract, but again it doesn't speak to the case of "Durov knowingly hid child porn consumers from law enforcement", which seems likely to be the actual crime. If you want to be the hero in your story, you need to not insert yourself into the plot.
The answer to this charade is that to "prove" that you're not doing anything wrong you need to secretly provide all data from anyone that the government doesn't like. Otherwise you go to jail.
If his was really true for banks there would be a large number of bankers in jail. This number being close to zero, I guess the courts are very lax at charging bankers for crimes.
Banks are a terrible example for this thread's argument. Banking is essentially the end result of what happens when businesses kowtow to the invasive demands of the government, implement ever-more invasive content policing, becoming de facto arms of the bureaucratic state.
A bank will drop you if they even think you might be doing something (demonstrably on paper) illegal. When opening an account, some of the very first questions a bank asks you are "where did you get this money" and "what do you do for work" - proactively making you responsible for committing to some type of story. All of the illegality you're trying to reference is happening under a backdrop of reams of paperwork that make it look like above board activity to compliance departments. Without that paperwork when shit does hit the fan, people working at the bank do tend to go to jail. But with that paperwork it's "nobody's fault" unless they manage to find a few bank employees to pin it on.
Needless to say, this type of prior restraint regime being applied to free-form communication would be an abject catastrophe.
Banks do a massive amount of tracking and flagging. Even putting a joke “for drugs” in a Venmo field can cause issues. Plus reporting large transactions. There was a massive post on HN yesterday about how often banks close startup accounts due to false positives.
> the real criminals continue doing their business everyday
Any source for that? Media loves to blame banks for everything, but when you go into the details it always seems pretty marginal (e.g. the HSBC Mexico stuff).
It cannot be marginal because drug traffic, just as an example, moves billions of dollars every year. They certainly have schemes and someone in the banking system must be complying with these schemes. Every time the officials uncover one of these schemes, banks are miraculously not charged of anything and they don't even give back the profits of the illegal operation.
If you provide a service that is used for illegal behavior AND you know it’s being used that way AND you explicitly market your services to users behaving illegally AND the majority of your product is used for illegal deeds THEN you’re gonna have a bad time.
If one out of ten thousand people use your product for illegal deeds you’re fine. If it’s 9 out of 10 you probably aren’t.
> If one out of ten thousand people use your product for illegal deeds you’re fine.
This logic clearly makes the prison of someone like the owner of Telegram difficult to justify, since 99.999% of messages in telegram are completely legal.
If 10,000 people out of 10 million are doing illegal things and you know about it or you are going out of your way to turn a blind eye then you’re gonna have a bad time.
Keep in mind that as soon as you store user accounts you keep user data, which is perhaps a trivial form of eavesdropping, but clearly something law enforcement takes an interest in.
Try to deposit 10k to your bank account and then, when they call you and ask the obvious question, answer that you sold some meth or robbed someone. They will totally be fine with this answer, as they are just a platform for providing money services and well, you can always just pay for everything in cash.
And even then you don’t have to tell them it’s illegal. Just what you earned. Frankly they don’t care where it came from as long as you report and pay.
No, you have to specify where it came from. You don't have to say what crime you committed, but you'd list the income under "income from illegal activities".
Suppose you knit mittens and sell them for cash out of your garage. The IRS expects you to report and pay taxes on the income. How do they check that the sum you specified is correct?
Not sure how it works in the US. In Germany you are supposed to have a cash register or issue an invoice on each purchase, and sometimes (though really rarely given lack of personnel) they can randomly check of your reported numbers make sense together.
It's not clear how that sort of thing would even help, it seems like just a trap for the unwary. If you're an honest person selling your mittens and paying your taxes without knowing you're supposed to have a cash register, you could get unlucky and get in trouble for innocuous behavior. If you're a drug dealer then you get a cash register and ring up all your drug sales as mitten sales. Or, if someone wanted to report less income, they would have a cash register and then use it to ring up less than all of the sales. Whether or not you have the cash register can't distinguish these and is correspondingly pointless.
If you are directly aiding and abetting without any plausible attempt to minimize bad actors from using your services then absolutely.
For example, CP absolutely exists on platforms like FB or IG, but Meta will absolutely try to moderate it away to the best of their ability and cooperate with law enforcement when it is brought to their attention.
And like I have mentioned a couple times before, Telegram was only allowed to exist because the UAE allowed them to, and both the UAE and Russia gained ownership stakes in Telegram by 2021. Also, messaging apps can only legally operate in the UAE if they provide decryption keys to the UAE govt because all instant messaging apps are treated as VoIP under their Telco regulation laws.
> For example, CP absolutely exists on platforms like FB or IG, but Meta will absolutely try to moderate it away to the best of their ability
Is this true? After decades now of a cat and mouse game, it could be argued that they are simply incapable. As such, the "best of their ability" would be using methods that don't suit their commercials - e.g verifying all users manually, requiring government ID, reviewing all posts and comments before they're posted, or shutting down completely.
I understand these methods are suicidal in capitalism, but they're much closer to the "best of their ability". Why do we accept some of the largest companies in the world shrugging their shoulders and saying "well we're trying in ways that don't impact our bottom line"?
If you are a criminal lawyer who is providing defense, that is acceptable because everyone is entitled to to a fair trial and defense.
If you are a criminal lawyer who is directly abetting in criminal behavior (eg. a Saul Goodman type) you absolutely will lose your Bar License and open yourself up to criminal penalties.
If you are a criminal lawyer who is in a situation where your client wants you to abet their criminal behavior, then you are expected to drop the client and potentially notify law enforcement.
> If you are a criminal lawyer who is directly abetting in criminal behavior
Not a lawyer myself but I believe this is not a correct representation of the issue.
A lawyer abetting in criminal behaviour is committing a crime, but the crime is not offering his services to criminals, which is completely legal.
When offering their services to criminals law firm or individual lawyers in most cases are not required to report crimes they have been made aware of under the attorney-client privilege and are not required to ask to minimize bad actors from using their services.
In short: unless they are committing crimes themselves, criminal lawyers are not required to stay clear from criminals, actually, usually the opposite is true.
Are you talking about Brian Steel? He was held in contempt because he refused to name his source that informed him of some misconduct by the judge (ex parte communication with a witness). That's hardly relevant here, the client wasn't involved at all as far as anyone knows.
any plausible attempt to minimize bad actors from using your service
I mentioned criminal lawyers because their job is literally to "offer their services to criminals or to people accused of being criminals" and they have no obligation whatsoever to minimize bad actors from using your service, in fact bad actors are usually their regular clientele and they are free to attract as many criminals as they like in any legal way they like.
Helping a criminal to commit a crime it's an entirely different thing and anyway it must be proved in a court, it's not something that can be assumed on the basis of allegations (their clients are criminal, so they must be criminal too).
That's why in that famous TV drama Jessy Pinkam says "You dont want a criminal lawyer, you want a Criminal. Lawyer.".
The premise of this story is that Telegram offers a service which is very similar to safe deposit boxes, the bank it's not supposed to know what you keep in there hence they are not held responsible if they are used for illegal activities.
In other words most of the times people do not know and are not required to know if they are dealing with criminals, but, even if they did, there are no legal reasons to avoid offering them your services other than to avoid problems and/or on moral grounds (which are perfectly understandable motives, but are still not a requirement to operate a business).
Take bars, diners, restaurants, gas stations or hospitals, are they supposed to deny their services?
And how would they exactly should take actions to minimize bad actors from using your service?
If someone goes to a restaurant and talks about committing a crime, is the owner abetting the crime?
I guess probably not, unless it is proven beyond any reasonable doubt that he actually is.
It doesn't matter if it's true or false it only matters what the justice system can prove.
> The premise of this story is that Telegram offers a service which is very similar to safe deposit boxes, the bank it's not supposed to know what you keep in there hence they are not held responsible if they are used for illegal activities.
This is the issue. Web platforms DO NOT have that kind of legal protection - be it Telegram, Instagram, or Hacker News.
Safe Harbor from liability in return for Content Moderation is expected from all internet platforms as part of Section 230 (USA), Directive 2000/31/EC (EU), Defamation Act 2023 (UK), etc.
As part of that content moderation, it is EXPECTED that you crack down on CP, Illicit Drug Transactions, Threats of Violence, and other felonies.
Also, that is NOT how bank deposit boxes work. All banks are expected to KYC if they wish to transact in every major currency (Dollar, Euro, Pound, Yen, Yuan, Rupee, etc) and if they cannot, they are expected to close that account or be cut off from transacting in that country's currency.
> That's why in that famous TV drama Jessy Pinkam says "You dont want a criminal lawyer, you want a Criminal. Lawyer.".
First, it's Pinkman BIATCH not Pinkam.
And secondly, Jimmy McGill (aka Saul Goodman) was previously suspended by the NM Bar Association barely 5 years before Breaking Bad, and was then disbarred AND held criminally liable when SHTF towards the finale.
At least in case of Section 230, distributirs that do not moderate do not need it because they do indeed have that kind of legal protection - see Cubby v. CompuServe for an example. Section 230 was created because a provider that did moderate tried to use this precedent in court and its applicability was rejected, and Congress decided that this state of affairs incentivized the wrong kind of behavior.
This is precisely why Republicans want to repeal it - if they succeed, it would effectively force Facebook etc to allow any content.
> This is the issue. Web platforms DO NOT have that kind of legal protection - be it Telegram, Instagram, or Hacker News.
e2e encryption cannot be broken though
> Safe Harbor from liability in return for Content Moderation is expected from all internet platforms as part of Section 230 (USA), Directive 2000/31/EC (EU), Defamation Act 2023 (UK), etc.
I have no sympathy for Durov and I don't care if they throw away the keys, but what about Mullvad then?
I guess that a service whose main feature is secrecy and anonymity should at least provide anonymity and secrecy.
> CP, Illicit Drug Transactions, Threats of Violence, and other felonies
you understand better than me that the request is absurd all of this is in theory, in practice nobody can actually do it for real, the vast majority of illicit clear text content are honeypots created by agents of various agencies to threaten the platforms and force them to cooperate. nothing's new here, but let's not pretend that this is to prevent crimes.
also: the allegations against Telegram are that they do not cooperate, but we don't actually know if they really crack down on CP or other illegal activities or not, because if they don't, the reasonable thing to do would be to shut down the platform, what does arresting the CEO accomplish? (rhetorical question: they - I don't want to throw names, but i think that the usual suspects are involved - want access to and control of the content, closing the platform would only deny them access and would create uproar among the population - remember when Russia blocked Telegram?)
also 2: AFAIK Telegram requires a phone number to create an account, it's the responsibility of the provider to KYC when selling a phone number, not Telegram's.
also 3: safe deposit boxes are not necessarily linked to bank accounts. I pay for a safety deposit box in Switzerland but have no Swiss bank account.
So my guess is EU wants in some way control the narrative in Telegram channels where the vast majority of the news regarding the war in Ukraine spread from the war front to the continent.
> First, it's Pinkman BIATCH not Pinkam.
Sorry. I'm dyslexic and English is not my mother tongue, but the 4th language I've learned, when I was already a teenager.
> was previously suspended by the NM Bar Association
that was the point. TV dramas need good characters and a criminal lawyer who's also a criminal is more interesting than a criminal lawyer who's just a plain boring lawyer that indulges in no criminal activity whatsoever.
> operating in a manner where one of your selling points is that you’ll help anyone out even when their intent is to break the law
is it what happened here?
in my view Durov is the owner renting his apartment and not caring what people do inside it, which is not illegal, someone could go as fare as say that it is morally reprensible, but it's not illegal in any way.
It would be different if Durov knew but did not report it.
Which, again, doesn't seem what happened here and it must be proven in a court anyway, I believe everyone in our western legal systems still has the right to the presumption of innocence.
Telegram not spying on its users is the same thing as Mullvad not spying on its users and not saving the logs. I consider it a feature not a bug, for sure not complicity in any crime whatsoever.
As far as I can see. CP is probably the fastest way to get a channel and related account wiped on telegram in a very short time. As a telegram group manager. I often see automated purge of CP related ad/contents, or auto lockout for managers to clear up the channel/group. Saying telegram isn't managing CP problems is just absurd. I really feel like they just created the reason for other purpose.
Read the founder exit letter. whatsapp is definitely not e2e encrypted for all features.
You leak basic metadata (who talked to who at what time).
You leak 100% of messages with "business account", which are another way to say "e2e you->meta and then meta relays the message e2e to N reciptients handling that business account".
Then there's the all the links and images which are sent to e2e you->meta, meta stores the image/link once, sends you back a hash, you send that hash e2e to your contact.
there's so many leaks it's not even fun to poke fun at them.
And I pity anyone who is fool enough to think meta products are e2e anything.
> with "business account", which are another way to say "e2e you->meta and then meta relays
actually its a nominated end point, and then from there its up to the business. It works out better for meta, because they aren't liable for the content if something goes wrong. (ie a secret is leaked, or PII gets out.) Great for GDPR because as they aren't acting as processor of PII they are less likley to be taken to court.
Whatsapp has about the same level of practical "privacy" (encryption is a loaded word here) as iMessage. The difference is, there are many more easy ways to report nasty content in whatsapp, which reported ~1 million cases of CSAM a year vs apples' 267. (not 200k, just 267. Thats the whole of apple. https://www.missingkids.org/content/dam/missingkids/pdfs/202...)
Getting the content of normal messages is pretty hard, getting the content of a link, much easier.
iMessage is not on the same playing field as Whatsapp and Signal. Apple has full control over key distribution and virtually no one verifies Apple isn't acting as a MitM. Whatsapp and e2e encrypted messenger force you to handle securely linking multiple devices to your account and gives you the option to verify that Meta isn't providing bogus public keys to break the e2e encryption.
For iMessage, Apple can just add a fake iDevice to your account and now iMessage will happily encrypt everything to that new key as well and there's zero practical visibility to the user. If it was a targeted attack and not blanket surveillance then there's no way the target is going to notice. You can open up the keychain app and check for yourself but unless you regularly do this and compare the keys between all your Apple products you can't be sure. I don't even know how to do that on iPhone.
never thought about using csam image hash alerts as a measure of platform data leaks (and popularity as i doubt bots will be sharing them). that's very smart.
and show that fb eclipse everyone by a insane margin it's scary!
about your point on business accounts, the documents i reviewed included dialog tree bots managed by meta. not sure if not having that change things... but in that case it was spelled out that meta is the recipient
Its more a UX/org thing. In iMessage how do you report a problematic message? you can't easily do it.
In whatsapp, the report button is on the same menu that you use to reply/hide/pin/react.
Once you do that, it sends the offending message to meta, unencrypted. To me, that seems like a reasonable choice. Even if you have "proper" e2ee, it would still allow rooting out of nasty/illegal shit. those reports are from real people, rather than automated CSAM hashing on encrpyted messages. (although I suspect there is some tracking before and after.)
Its the same with instagram/facebook. The report button is right there. I don't agree with FB on many things, but this one I think they've made the right choice.
Telegram is for the most part not end-to-end encrypted, one to one chats can be but aren't by default, and groups/channels are never E2EE. That means Telegram is privy to a large amount of the criminal activity happening on their platform but allegedly chooses to turn a blind eye to it, unlike Signal or WhatsApp, who can't see what their users are doing by design.
Not to say that deliberately making yourself blind to what's happening on your platform will always be a bulletproof way to avoid liability, but it's a much more defensible position than being able to see the illegal activity on your platform and not doing anything about it. Especially in the case of seriously serious crimes like CSAM, terrorism, etc.
End-to-end encrypted means that the server doesn’t have access to the keys. When server does have access, they could read messages to filter them or give law enforcement access.
If law enforcement asked them nicely for access I bet they wouldn't refuse. Why take responsibility for something if you can just offload it to law enforcement?
The issue is law enforcement doesn't want that kind of access. Because they have no manpower to go after criminals. This would increase their caseload hundredfold within a month. So they prefer to punish the entity that created this honeypot. So it goes away and along with it the crime will go back underground where police can pretend it doesn't happen.
Telegram is basically punished for existing and not doing law enforcement job for them.
Maybe they didn't ask nicely. Or they asked for something else. There's literally zero drawback for service provider to provide secret access to the raw data that they hold to law enforcement. You'd be criminally dumb if you didn't do it. Literally criminally.
I bet that if they really asked, they pretty much asked Telegram to build them one click creator that would print them court ready documents about criminals on their platform so that law enforcement can just click a button and yell "we got one!" to the judge.
> There's literally zero drawback for service provider to provide secret access to the raw data that they hold to law enforcement.
That's not true. For one things, it is expensive. For another, there's a chance people will find out and you'll lose all your criminal customers... they might even seek retribution.
> I bet that if they really asked, they pretty much asked Telegram to build them one click creator that would print them court ready documents about criminals on their platform so that law enforcement can just click a button and yell "we got one!" to the judge.
You seem to believe, without having looked at the publicly available facts of the matter, that the problem is law enforcement didn't say "pretty please". The fact of the matter is that they've refused proper law enforcement requests repeatedly; if anyone has been rude about it, it's been Durov.
The chats are encrypted but the backup saved in the cloud isn't. So if someone gets access to your Google Drive he can read your WhatsApp chats. You can opt-in to encrypt the backup but it doesn't work well.
Meta seems to shy away from saying they don't look at the content in some fashion. Eg they might scan it with some filters, they just don't send plaintext around.
Yes, WA messages are supposed to be e2e encrypted. Unless end-to-end encryption is prohibited by law in your jurisdiction, I don't see how that question is relevant in this context.
The receiving end shared your message with the administrators? E2e doesn't mean you aren't allowed to do what you want with the messages you receive, they are yours.
Nope, it didn't even arrive on their end, it prevented me from sending the message and said I wasn't allowed to send that. So they are pre screening your messages before you send them.
isn't meta only end to end encrypted in the most original definition in so much that it is encrypted to each hop. but it's not end to end encrypted like signal.. ie meta can snoop all day
If a service provider can see plain text for a messaging app between the END users, that is NOT end-to-end encryption, by any valid definition. Service providers do not get to be one of the ends in E2EE, no matter what 2019 Zoom was claiming in their marketing. That's just lying.
What has E2EE got to do with it? If you catch someone who sent CP you can open their phone and read their messages. Then you can tell Meta which ones to delete and they can do it from the metadata alone.
I'm more disturbed by the fact that on HN we have 0 devs confirming or denying this thing about FBs internals wrt encryption. We know there are many devs that work there that are also HN users. But I've yet to see one of them chime in on this discussion.
I find it pretty ridiculous to assume that any dev would comment on the inner workings of their employers software in any way beyond what is publicly available anyway. I certainly wouldn't.
Why not? If I think my employer is doing something unethical, I certainly would. That would be the moral thing to do.
This tells me most of the people implementing this are either too-scared of the consequences, or they think what they're implementing is ethical and/or the right thing to do. Again, both are scary thoughts we should be highly concerned about in a healthy society that talks about these things.
One other potential explanation: FB and these large behemoths have compartmentalized the implementations of these features so much that no one can speak authoritatively about it's encryption.
You are talking about a company whose primary business idea it is to lock up as much of the world's information as possible behind their login.
The secondary business idea it to tie their users logins to their real world identities, to the point of repeatedly locking out users who they live under threat and refuse to disclose their real name.
For Reddit it is a bit documented how some power-mods used to flood subreddits with child porn to get them taken down. It was seemingly done with the administration's best wishes. Not sure if it still going on, but some of these people are certainly around, in the same positions.
That’s disgusting but certainly effective to take down something very quickly.
I was very disappointed to hear that UFO related subreddits take down and block UFO sightings. What’s the whole point of the sub if they censor the relevant content.
This is unrelated to main thread but since you brought up UFOs and censorship. Isn't it a disgrace what Wikipedia has done to the trove of "list of UFO sightings"?
Those listings were great and well documented up until about 2019 or so. They've been scrubbed heavily.
Yes it is. I don’t recall when and if I check out the list of UFO sightings on Wikipedia but I’m very aware of the problem.
In the English wiki it’s a group “Guerilla Skepticism” which dominates the field on esoteric content and much more.
In Germany we have the same situation and very likely every language has the same issue.
The bigger pictures is that the whole content from Wikipedia gets fed into the AIs and then it answers you practically the strongly moderates censored misleading content from Wikipedia.
The very disappointing thing is that nobody can’t to anything about the mods in Wikipedia, they dominate the place.
I've actually given up trying to post on Reddit for this reason. Whenever I've tried to join in on a discussion in some subreddit that's relevant(eg r/chess) my post has been autoremoved by a bot because my karma is too low or my account is "too new". Well how can I get any karma if all my posts are deleted?
Even those who farm accounts know the simple answer to your question. You have to spend a little time being civil in other subreddits before you reveal the real you. Just takes a few weeks.
The comments I made were quite serious and civil. Not sure what you mean. They were autodeleted by a bot. I wasn't trolling or anything.
I'm not particularly interested in spending a lot of time posting on reddit. But very occasionally I'll come across a thread I can contribute meaningfully to and want to comment. Even if allowed I'd probably just make a couple comments a year or something. But I guess the site isn't set up for that, so fuck it.
Sounds like you glossed over the phrase “in other subreddits”, which is the secret sauce. The point of my phrasing was not to suggest that you aim to be uncivil, but to highlight that the above works even for those who do aim to. So, surely, it should work for you, too.
I can see how it's frustrating, but the communities you're trying to post in are essentially offloading their moderation burden onto the big popular subreddits with low requirements -- if you can prove you're capable of posting there without getting downvoted into oblivion, you're probably going to be less hassle for the smaller moderator teams.
That's silly. I gotta go shitpost in subreddits I have no interest in as some sort of bizarre rite of passage? I'd rather just not use the site at that point.
Actually, HN has a much better system. Comments from new accounts, like your throwaway, are dead by default, but any user can opt in to seeing dead posts, and any user with a small amount of karma can vouch those posts, reviving them. Like I just did to your post.
It's simpler, the US wants to control the narrative everywhere and in everything, just like in the 90s and 00s. Things like Telegram and Tiktok and to some extent RT, stand in the way of that.
But why don’t they arrest them for allowing it to happen? Phone calls should be actively moderated to block customers who speak about terrorist activity.
Because the telcos _cooperate_ with law enforcement.
It's not whether the platform is being used for illegal activity (all platforms are to some extent, as your facile comment shows). It's whether the operator of a platform actively avoids cooperating with LE to stop that activity once found.
I know. That’s obviously true, but I hate that it happens and it makes no sense to me why more people aren’t upset by it. What I’m trying to get at is that complying with rules that are stupid, ineffective, and unfair is not a good thing and anyone who thinks these goals are reasonable should apply them to equivalent services to realize they’re bad. Cooperation with law enforcement is morally neutral and not important.
The real goal is hurting anyone that’s not aligned with people in power regardless of who is getting helped or harmed. Everyone knows this but so many people in this thread are lying about it.
> anyone who thinks these goals are reasonable should apply them to equivalent services to realize they’re bad
AFAIK these goals _are_ applied to equivalent services. It's just that twitter, FB, Instagram, WhatsApp, and all the others _do_ put in the marginal amount of effort required to remove/prohibit illicit activity on their platform.
Free speech is one thing, refusing to take down CSAM or drug dealing operating in the open is always going to land you in hot water.
I don’t agree that internet platforms deserve to be in their own special category which is uniquely required to police bad content. The only reason it happens is because it’s not politically or technically feasible to do it when the message comes through another medium.
I think it’s wrong on social media for the exact same reason it’s wrong to arrest power companies if a guy staples printed CSAM to a utility pole. Same thing for monitoring private phone calls. We know that AI can detect people talking about terrorism on the phone and cameras can monitor paper ads and newsletters in public spaces, but nobody would advocate for making this a legal requirement because it’s insane. The fact that nobody cares is proof that the public does value privacy and free speech. Why are so many of them tricked into thinking the internet is an exception?
I want people to commit to their beliefs and either admit they want surveillance wherever it’s technically feasible or give up and recognize that internet surveillance is also wrong. No more of this “surveillance is good but legacy platforms are exempt” waffling. Very frustrating and only serves the interests of people who already have power
From what I've read the arrest wasn't related to lack of proactive moderation, but the lack of, or refusal to do, reactive moderation i.e. law enforcement say "there's CSAM being distributed on your platform here" and the owner shrugs
> for the exact same reason it’s wrong to arrest power companies if a guy staples printed CSAM to a utility pole
That seems like a bad analogy. A closer one would be that I rent the pole space to people who I am told by law enforcement are committing serious crime in the open, using the pole I am renting to them. Additionally, I am uniquely capable of a) removing the printouts b) passing on whatever information I have about those involved (maybe zero, but at least I say that). The issue is refusing both. I don't feel they are egregious requests.
(this is not a tacit approval of digital surveillance)
I don't think it's a crime not to report a crime, at least not where I live. But facilitating a crime, which is something you could accuse telegram of is.
CSAM is different - in the US, as well as france, the law designates the service provider as a mandatory reporter. If you find CSAM and don't report the user who posted it to authorities (and Telegram have phone numbers of users) then they are breaking the law.
On top of that, if you can be shown to benefit from the crime (e.g. by knowingly taking payment for providing services to those that commit it), that presumably makes you more than just a bystander in most jurisdictions anyway.
It is only for specific crimes not all crimes and there are exemptions when you don’t have to report the crime in Germany. For example family members don’t have to report if they try to convince the other party not to do it. Priests and other religious figures don’t have to do it. Lawyers, physicians, therapists etc. are also exempted.
It is also only for upcoming not yet accomplished crimes. Crimes already happened don’t have to be reported.
Also it has to be proven that you received the plan in a plausibel manner.
That link you posted is 1) about very specific crimes (treason, murder, manslaughter, genocide etc.) and 2) it applies only when you hear about a crime that is being planned but which has not been committed yet (and can still be prevented).
You're technically right (I think). However, I believe if you witness a murder and know the murderer and the police asks you: "Do you know anything about X murder?" Then I think you're legally required to tell the truth here.
If someone says I need a cab for after I rob a bank and you give them a ride after waiting then you’re almost certainly an accessory. If they flag a random cab off the street then not.
It doesn’t extend to police questioning, i also pointed out it’s a different thing when you are in a court.
For the police an innocent bystander can turn into a suspect real fast.
The English common law tradition has a crime called “misprision”. Misprision of treason is the felony of knowing someone has committed or is about to commit treason but failing to report it to the authorities.
It still exists in many jurisdictions, including the UK, the US (it is a federal crime under 18 U.S. Code § 2382, and also a state crime in most states), Australia, Canada, New Zealand and Ireland.
Related was the crime “misprision of felony”, which was failure to report a felony (historically treason was not classed as a felony, rather a separate more serious category of crime). Most common law jurisdictions have abolished it, in large part due to the abolition of the felony-misdemeanour distinction. However, in the US (which retains that distinction), it is a federal crime (18 U.S. Code § 4). However, apparently case law has narrowed that offence to require active concealment rather than merely passive failure to report (which was its original historical meaning)
Many of the jurisdictions which have abolished misprision of felony still have laws making it a crime not to report certain categories of crime, such as terrorism or child sexual abuse
If you're the witness to a murder and you're subpoena'd to court and refuse to testify then you are committing contempt of court. There was a guy in Illinois who got 20 years (reduced to 6 on appeal) for refusing to testify in a murder.
Contempt of court usually has no boundaries on the punishment, nor any jury trials. A judge can just order you to be executed on the spot if you say, fall asleep in his courtroom. Sheriffs in Illinois have the same unbridled power over jail detainees.
i think in actual practice you will rarely get contempt for refusing to testify or taking the fifth for questions that could only tenuously implicate yourself in practice.
Usually if you let the prosecutor know up-front that you're not willing to cooperate they will tend to save themselves the hassle of trying. It can go wrong if they subpoena a belligerent witness, then they don't turn up on the day they're supposed to testify, and now the jury is empaneled and they start doing a dance where they demand the sheriff finds the witness, but then the clock runs out on holding the jury and it's a mistrial all round.
Yes, "I don't recall" is the oft-heard phrase in the witness stand. I don't remember the specifics of that case and why the guy decided to martyr himself.
I don't think it's necessarily self-incrimination to report a crime you witnessed, though I think it's dependent based on the time from when it occurred to the time of reporting.
Depending on the jurisdiction and the crime and the circumstances an act of omission (like ignoring a murder) would be suspicious and may get you charged with aiding and abetting.
I have my dead creepy uncle's phone in my drawer right now, and can give you soft core child porn from his instagram. His algorithm was even tuned to keep giving endless supply of children dancing in lingerie, naked women breastfeeding children while said children play with her private part, prostitutes of unknown age sharing their number on the screen, and porn frames hidden in videos.
If we're doing US criminal law, failing to report crimes is a red herring here, right? I'd assume the accusation would turn on accomplice liability, on Durov both knowing about the crime and, in that knowing state of mind, doing something concrete to help it (like concealing it from inquiring authorities).
Obviously this is French criminal law, which is, well, wow.
YouTube ignored reports for CSAM links in comments of "family videos" of children bathing for years until a channel that made a large report on it went viral.
Who you are definitely determines how the law handles you. If you're Google execs, you don't have to worry about the courts of the peasantry.
IANAL and not that familiar with the legal situation, but if we assume that running a platform of this type requires you, by law, to moderate such a platform and he fails to do that, idk what we are talking about. Yes, he would clearly be breaking the law. Why would that not get prosecuted in the completely normal, boring way that I would hope all law breaking will eventually be prosecuted?
If you are alleging that there's comparable, specific and actual legal infringements on the part of meta/google, that somehow go uninvestigated and unpunished, free free to point to that.
frankly, even with unencrypted chats, any law/precedent requiring that platform providers have to scale moderation linearly with the number of users (which is effectively what this is saying) sounds like really bad policy (and probably further prevents the EU from building actual competitors to American tech companies)
It was their decision to become something bigger than a simple messaging app by adding channels and group chats with tons of participants.
It was also their decision to understaff content moderation team.
Sometimes the consequence is a legal action, like the one we're seeing right now. All this could have been easily avoided if they had E2EE or enough people to review reported content and remove it when necessary.
Telegram started 11 years ago. I know the term has been diluted for ages, but it still rubs me the wrong way to use the word startup for decade old businesses.
A straightforward legal responsibility should be shirked because scaling moderation is hard? How many other difficult things do you propose moving outside the law?
That's not the case here though. Most of the communication on Telegram is not E2E Encrypted.
Even E2EE messaging service providers have to cooperate in terms of providing communication metadata and responding to takedown requests. Ignoring law enforcement lands you in a lot of shit everywhere, in Russia you'll just be landing out of a window.
These laws have applied for decades in some shape or form in pretty much all countries, so it shouldn't come as a surprise.
Have you used Telegram before making this comment? It is moderated. You really think this is about the company, the platform, not about politics? Well you should think again.
it is much less aggressively moderated and censored than facebook, and pleasant to use, source: first hand experience.
But i have no idea if it truly has more or less crime than other platforms. So we can't really tell if he's being messed with because he can't stand up for himself in a way Microsoft or Musk can, or it is truly a criminal problem.
Should have written >unmoderated<. No service would live 2 hours if it would be actually unmoderated. But seemingly they only remove content that is directly a product of/causing physical harm.
As far as I've heard, they did that only under threat of getting kicked out of the Apple and Google app stores. Supposedly, the non-app-store versions don't have these blocks.
In other words, Apple and Google are the only authorities they recognize (see also [1]). I'm not surprised this doesn't sit well with many governments.
The real deal channels are still accessible. I follow them every day. Its the only way of getting a clear picture of the situation in Ukraine. Both sides are heavily using it. Also during combat operations.
One of those was @rtnews which is definitely state-sponsored propaganda and remains inaccessible to this day.
They cooperated to some degree, but I'll go out on a limb to say that the authorities wanted Telegram to be fully subservient to western government interests.
there were multiple Kremlin propaganda outlets you could read in the US 40 years ago, although it is true that (IIRC) there were restrictions on broadcast television
>Eliminating child pornography and organised crime is a societal rather than 'government' interest.
Empirically speaking, governments have had absolutely zero success at this, but their attempts to do so have gotten them the kind of legal power over your life that organised crime could only dream about.
Are you implying that after the Italian mafia there were no more organised crime gangs in the US? There's a huge number of organised crime gangs nowadays; who do you think is distributing the drugs responsible for America's massive drug problem? https://en.wikipedia.org/wiki/List_of_gangs_in_the_United_St... . A policy isn't a success if it kills one crime group only for it to be replaced with more, and the overall drug consumption/distribution rate doesn't decrease. More people are using illicit drugs than ever before: https://www.ibanet.org/unodc-report-drug-use-increase
think there is a societal interest in unsnoopable messaging.
there are other low-hanging fruit EU governments could do to address crime, NL has basically become a narcostate and they are just sitting by and watching - Telegram is not the problem.
In this instance (RT being banned), it's Russia's quite candid strategy to undermine social cohesion in their enemies' societies, using disinformation. Margarita Simonyan and Vladislav Surkov have each bragged about its success. So yes, for social cohesion, when there's a malign external actor poisoning public discourse with the intention of splitting societies, a responsible government ought to tackle it.
Information warfare is a real thing, and if you're suggesting governments shouldn't react to it - on the basis that doing so would fall under 'the old enemy of the people argument' - then what you're actually contending is that governments should neglect national defence.
If we start throwing around terms like "social cohesion" to justify censorship in the West, how can we complain about China doing the same in the name of "social harmony"?
I think your subtle arguments are wasted on EU's decision to stop the spread of misinformation and manipulation. It's that simple for them. Black and white. Us vs them. Don't think too much, you are taken care of by your "representatives" ...
It’s also the government’s role to take measures against harmful actions. Personal rights end where they start to harm others, or harm society in general. They are not an absolute, and always have to be balanced against other concerns.
However, my GP comment was against the claim that “The state has no business judging the truth”. That claim as stated is absurd, because judging what is true is necessary for a state being able to function in the interest of its people. The commenter likely didn’t mean what they wrote.
One can argue what is harmful and what isn’t, and I certainly don’t agree with many things that are being over-moderated. But please discuss things on that level, and don’t absolutize “free speech”, or argue that authorities shouldn’t care about what is true or not.
> Personal rights end where they start to harm others, or harm society in general
This empty saying is used to justify basically any violation of civil liberty, because it is unprincipled and open ended, so it can be used to respond to any action anyone can take
> The commenter likely didn’t mean what they wrote
No, I meant what I wrote. The government has no business judging the truth. What is the Russian disinformation from earlier in this thread? For example, is it discussing the illegal 2014 coup in Ukraine that ousted a democratically elected government that was friendly to Russia? To EU overlords, discussing that event is “spreading disinformation” even though it is factually true and deserving of discussion. It’s a great example of political censorship being a problem.
> don’t absolutize “free speech”, or argue that authorities shouldn’t care about what is true or not.
Free speech should be absolutized in day to day discussion, even if there are very limited exceptions in the law. It’s when there is permission from society to limit speech that populations end up propagandized and suppressed by whoever has power over them. That’s what is happening here, where people are coming up with absurd mental gymnastics to justify France’s authoritarian actions.
> judging what is true is necessary for a state being able to function in the interest of its people
This sounds like support for Soviet or China style control of speech, and labeling of anything that power disagrees with as misinformation. Authorities shouldn’t care about what is true or not, because they are biased and corrupted by their agendas and ideologies and incentives. The free exchange of information is foundational to any free and democratic society. That’s what is necessary for a state to be able to function in the interest of its people.
At least Kim Dotcom earings and the main utility of the service was indeed based on pirated content. Telegram is huge news/chat/etc app, where the things the mention as "enabling" as totally marginal and coincidental, more like arresting a property owner that owns half of the city because some people sold drugs in a few of the apartments.
I believe both cases come down to how much effort the leaders put into identifying and purging the bad activities on their platforms.
One would hope that there is clear evidence to support a claim that they’re well aware what they’re profiting off and aren’t aggressively shutting it down.
To use Reddit as an example: in the early days it was the Wild West, and there were some absolutely legally gray subreddits. They eventually booted those, and more recently even seem to ban subreddits just because The Verge wrote an article about how people say bad things there.
> the warrant was issued because of his alleged failure to cooperate with the French authorities.
That would seem to be the key bit. Makes one wonder what level of cooperation is required to not be charged with a slew of the worst crimes imaginable. Is there a French law requiring that messaging providers give up encryption keys that he is known to be in violation of?
> Why are these service providers being punished for what their users do?
There is a legal distinction here between what happens on your platform despite your best efforts (what you might call "incidental" use) vs what your platform is designed specifically to do or enable.
Megaupload is a perfect example. It was used to pirate movies. Everyone knew it. The founders knew it. You can't really argue it's incidental or unintended or simply that small amount that gets past moderation.
Telegram, the authorities will argue, fails to moderate CSAM and other illegal activity to the point that it enables it and profits from it, which is legally indistinguishable from specifically designing your platfrom for it.
Many tech people fall into a binary mode of thinking because that's how tech usually works. Either your code works or it doesn't. You see it when arguments about people pirating IP being traced to a customer. Tech people will argue "you can't prove it's me". While technically true, that's not the legal standard.
Legal standards relay on tests. In the ISP case, authorities will look at what was pirated, was it found on your hard drive, was the activity done when you were home or not and so on to establish a balance of probabilities. Is it more likely that all this evidence adds up to your guilt or that an increasingly unlikely set of circumstances explains it where you're innocent?
In the early days of Bitcoin I stayed away (to my detriment) because I coudl see the obvious use case of it being used for illegal stuff, whichh it is. The authorities don't currently care. Bitcoin however is the means that enables ransomware. When someone decides this is a national security issue, Bitcoin is in for a bad time.
Telegram had (for the French at least) risen to the point where they considered it a serious enough issue to warrant their attention and the full force of the government may be brought to bear on it.
It seems there has been a misunderstanding; laws for service providers never exempted them from having to cooperate and provide data available to them when ordered.
Because these countries are hypocrites. Because politics, because these guys are from Russia, China. You can so obviously see there's discrimination against companies from those countries. Can you imagine France do this if it's a US company?
Rhetorical question: for what reason should a country be anything other than a hypocrite when it comes to situations such as this? Nations prioritize their own self-interests and that of their allies, even if that makes them appear hypocritical from an outside, or indeed, even an inside perspective. But that doesn't mean there's no legitimacy to what they do.
That's why startups need to get Silicon Valley VC investment so that the VCs can lobby Washington on their behalf with <del>protection money</del> political donations and avoid this crap.
The difference is that this is not an isolated case on telegram(you said it yourself: "some amount", which implies "limited"). At the same time, you can literally open up the app and with 0 effort find everything they are accusing them of - drugs, terrorist organizations, public decapitations, you name it. They also provide the ability to search for people and groups around you, and I am literally seeing a channel where people are buying and selling groups "800 meters away" from me and another one for prostitution, which is also illegal in my country. Meanwhile, see their TOS[1]. They have not complied with any of the reports or requests from users (and governments by the looks of it) to crack down on them. While 1:1 chats are theoretically private and encrypted(full disclosure, I do not trust Telegram or any of the people behind it), telegram's security for public channels and groups is absolutely appalling and they are well aware of it - they just chose to look the other way and hope they'd get away with it. You could have given them the benefit of the doubt if those are isolated("some") instances, sure. But just as in the case of Kim Dot-I-support-genocide-com, those are not isolated cases and saying that they had no idea is an obvious lie.
2000/31/EC[2], states that providers are generally not liable for the content they host IF they do not have actual knowledge of illegal activity or content AND upon obtaining such knowledge, they take action and remove and disable access to that content(telegram has been ignoring those). Service providers have no general obligation to monitor but they need to provide notice and take down mechanisms. Assuming that their statement are correct, and they had no idea, they should be in the clear. Telegram provides a notice and take down mechanism. But saying that there are channels with +500k subscribers filled with people celebrating a 4 year old girl with a blown off leg in Ukraine and no one has reported it in 2 and a half years after it was created is indeed naive.
If I have to dig through third party clients in order to trust a system, then it's clearly a shit system. Signal > anything else, especially telegram, which can burn in hell for all I care.
I don't see the difference with Signal here. In both cases, the only reason why you know that they do E2EE properly is because you (or somebody else that you trust) has audited the client code and confirmed that it does indeed do E2EE.
Nor does it require a third party client. In fact, in this regard, Telegram official client is slightly better because they have reproducible builds for iOS, while Signal, last I checked, does not (they do have them for Android).
kim dotcom ran basically a pirated game/book/music/movie site. Telegram (what I have seen) is mostly hacking leaks although rumored to have CSAM (to those not familiar with the acronym, it means cheese pizza).
Of course you can find both somewhere in the walled planetary garden of googlotron in facebooks sure. But they clamp down on it hard as they can. They clamp down on anything marginally offensive much less illegal. Have you tried the facebook "report post" interface? there are 3,000 various types of offensiveness you may report. That's their bar, their standard, that's 1,000 miles away from definitely illegal content. If their censorship apparatik is so bold as to be wiping out vast swaths of totally valid free speech, anything illegal has no chance.
If the question is "what's a great place to go for piracy" - megaupload, pirate bay, etc, then any common answer to that question is a target... "where to I go for data breaches" - breachforums, telegram, etc. Don't get worked up, all those places were destroyed by the feds and no longer exist.
Why are these service providers being punished for what their users do
[...]
maybe I'm just being naive?
In this case, the comment does strike me as naive.
Back in the 1990s the tech community convinced itself (myself included) that Napster had zero ethical responsibility for the mass piracy it enabled. In reality, law in a society is supposed to serve that society. The tech community talked itself into believing that the only valid arguments were for Napster. In hindsight, it's less cut-and-dry.
I have never believed E2EE to be viable, in the real world, without a back-door. It makes several horrendous kinds of crime too difficult to combat. It also has some upsides, but including a back-door, in practice, won't erase the upsides for most users.
It is naive to think people (and government) will ignore E2EE; a feature that facilitates child porn, human trafficking, organized crime, murder-for-hire, foreign spying, etc etc. The decision about whether the good attributes justify the bad ones is too impactful on society to defer to chat app CEOs.
This should be obvious to everyone here, but it's pretty much inevitable that if a backdoor exists, criminals will eventually find their way through it. Not to mention the "legitimate" access by corrupt and oppressive governments that can put people in mortal danger for daring to disagree.
No doubt that is true, and presumably Cory Doctorow has written some article making that seem like the only concern. The alternative makes it difficult to enforce all kinds of laws, though.
You can go ahead and encrypt messages yourself, without explicit E2E support on the platform. In fact, choosing your own secure channel for communicating the key would probably be more secure than anything in-band.
I doubt that will upset the public the way Signal and Telegram eventually will. Most people, including criminals, struggle with tech. If they want E2EE badly enough, and use one of the big messaging GUI apps they can succeed. If they can only do it via less user-friendly software, they'll need help or to do research, and likely will leave a trail behind them. That is more useful to law enforcement than if they simply had downloaded one of the most popular App Store apps. It's hard for a news story about a CLI utility to gain traction.
Historically speaking, a great deal more crime was impossible to combat in practice simply because no state could afford a police apparatus extensive enough to monitor everything. Coincidentally, this also extended to things like political dissent.
Now that automated mass surveillance actually makes it possible for the states to keep tabs on just about everything, E2EE, if anything, merely rebalances the scales (although even that is overselling it - in practice, with modern surveillance tools, the scales are still much more heavily tilted in favor of those surveilling).
To what extent people really want to embrace the panopticon is not so clear-cut. It is certainly something heavily pushed from above, and in many societies that does seem to be reflected in public opinion (e.g. UK) - but not in all, so I do not think it can be reasonably assumed to be the default.
That's how most law works. I have to give up my right to murder someone in order to enjoy a society where it's illegal for everyone.
If you believe privacy not inspectable by law enforcement is wrong the prerequisite is saying that you're willing to have the the law apply to you as well.
I believe that privacy not inspectable by law enforcement is a fundamental right. I'm willing to accept that aids some crimes but also willing to change my mind if the latter becomes too much of a problem. It doesn't seem to be the case at all ATM.
Yes, that is my position. E2EE back-doors might not affect my communications or yours, but have serious and undesirable repercussions for some journalists and whistleblowers. The thing is, regular people aren't going to tolerate a sustained parade of news stories in which E2EE helps the world's worst people to evade justice.
This comment can itself be said to take for granted the naive view of what law it exposes.
Law is a way to enforce a policy on massive scale, sure. But there is no guarantee that it enforces things that are aiming the best equilibrium of everyone flourishing in society. And even when it does, laws are done by humans, so unless they results from a highly dynamic process that gather feedback from those on which it applies and strive to improve over time, there is almost no chance laws can meet such an ambitious goal.
What if Napster was a symptom, but not of ill behavior? Supposing that unconditional sharing cultural heritage is basically the sane way to go can be backed on solid anthropological evidences, over several hundred millennia.
What if information monopolies is the massive ethical atrocity, enforced by corrupted governments which were hijacked by various sociopaths whose chief goal is to parasite as much as possible resources from societies?
Horrendous crimes, yes there are many out there, often commissioned by governments who will shamelessly throw outrageous lies at there citizens to transform them into cannon fodders and other atrocities.
Regarding fair retribution of most artists out there, we would certainly be better served with universal unconditional net revenue for everyone. The current fame lottery is just as fair as a national bingo as a way to make a decent career.
You know, I agree with nearly all of these points. I even think there is something to your point about Napster 'being a symptom' but (as people love to say around here) it's 'orthogonal' to the original point I wanted to make.
Few things would please me more than to live under a system where arts and culture were freely available to all, and artists didn't have to starve in the process. It doesn't strike me as far-fetched either; it wouldn't take much to improve on the system we currently have.
But my original point was that, given the society we actually had when Napster came along, it was unreasonable for Napster unilaterally to decide for everyone else that existing laws and expectations no longer mattered.
> Horrendous crimes, yes there are
many out there, often commissioned by governments who will shamelessly throw outrageous lies at there citizens to transform them into cannon fodders and other atrocities.
Yes, this happened, is happening and will happen.
I wonder however if the word "often" may perhaps be misleading or even completely wrong.
If you pick one random victim of a horrendous crime today in a western society. Feel free to pick the minority most hated by that society. What is the likelihood that that crime was commissioned by the government? It's more likely domestic violence, trafficking etc done by fellow community members.
Sure there are examples of governments shooting civilian planes in the sky or ferries in the and covering up. And it's perfectly sensible to be outraged when that happens. But jumping to the conclusion that "the government" just does those things as a matter of routine doesn't sound right to me. I don't buy it. It smells conspiratorial thinking and requires extraordinary proof.
> Why are these service providers being punished for what their users do?
I think this is simplified. Certainly yes, if "all" Telegram was doing was operating a neutral/unmoderated anonymized chat service, then it's hard to see criminal culpability for the reasons you list.
But as people are pointing out, that doesn't seem to be technically correct. Telegram isn't completely anonymous, does have access to important customer data, and is widely suspected of complying with third party requests for that data for law enforcement and regulatory reasons.
So... IF they are doing that, and they're doing it in a non-neutral/non-anonymized way, then they're very plausibly subject to prosectution. Say, if you get a report of terrorist activity and provide data on the terrorists, then a month later get notified that your service is being used to distribute CSAM, and you refuse to cooperate, then it's not that far a reach to label you an accessory to the crime.
I’m not a fan of this arrest and I don’t believe service providers have a duty to contravene their security promises so as to monitor their users.
But it seems pretty obvious that governments find the monitoring that Google / Reddit / etc do acceptable, and do not find operation of unmonitorable services acceptable.
VPNs don't pose an obstacle to monitoring any specific activity, and as many VPN-using criminals have found, even their ability to stop law enforcement from identifying you is limited. So they've been less of an issue. Having said that, I would note that Mullavad was forced to remove port forwarding in response to law enforcement interest, and I don't think it would be too surprising (or too dystopian) if in the future "connection laundering" is a crime just like money laundering.
There are several jurisdictions in the world where the government has the power to force a provider to keep logs, and actively lie about it. We simply have no way to know if mullvad or any other logless provider is actually logless, because they can be legally forced to lie about it.
Aside, warrant canaries have never been actually tested in court and the common consensus is that they wouldn't fly in reality if they were ever contested.
Because some things like terrorism and child sex abuse are harms to society as a whole, and even private individuals have an obligation to help combat them. Durov has a service where by design it's hard to filter out that kind of activity, and he's effectively (if not explicitly) helping protect that activity.
No because HP printers *do* print tracking marks to allow law enforcement to match a printout to a printer if they find abuse material that's been printed.
I find it amazing that this is used as an example of a good thing.
A few decades ago, one of the factoids about USSR was that they required all typewriters to be registered with the state, with a sample page produced for every unit manufactured so that the state could track their use (this last bit is unlikely to be true, but was widely believed). That was supposed to be a case in point on why free societies are better, not an example to follow.
I was pointing out that the GP's strawman was really immaterial because HP don't get sued/arrested because they comply with law enforcement (at the expense of user privacy).
Since I know better than to use a printer in the commission of a crime, it doesn't really affect me, but I'm aware that the majority of users consider it a privacy violation.
> So is France going to arrest the owners of HP, because their printers can't filter out CSAM?
A more comparable example, is France going to arrest someone who maintains a printer in an office and knows an employee is printing CSAM but doing nothing about it?
I hope they would, this is the boat Telegram is in.
If you think one person printing out CSAM on a printer one page at a time is the same as running a service that facilitates tens of thousands of people to trade CSAM, there's nothing I can say to explain it to you.
I strongly suspect there's more to it than just running a chat system used by criminals. If that were the issue then tons of services would be under indictment.
We'll have to wait and see, but I suspect some kind of more direct participation or explicit provable look-the-other-way at CSAM etc.
Let’s just say I encrypt illegal.content prior to uploading it to Platform A. And share the public key separately via Platform B. Maybe even refer Platform A users to a private forum on Platform B to obtain the keys. Are both platforms now on the wrong side of the law?
This is a big problem. Why are we talking about "cooperation"? What does it mean? A judge doesn't ask you to cooperate, he seizes your servers. Ah, it's not a court. It's the police? The state? It's not a free country, sir.
In principle, the police can tell if a song infringes copyright, or if a message spreads hate (I'm trying to sound American here). Or if a picture is really a "cheese pizza" or just a strange artistic depiction of youth. Not because the police don't know about music or TC/IP, or don't care about art or reading. Everyone knows they care. But because it is a legal problem.
In my country, let's call it a republic, at least it was a long time ago, even the state can own all your bases because you don't pay taxes, the police can only arrest you for six hours while they call the prosecutor to check that the 200 grams of white powder is what it is. They knew. They had already stolen the rest. If the forensics aren't quite sure what you're bringing them, it's the stuff that makes the stuff what the stuff is, you're free to go.
The prosecutor can make a case and send the 100 grams of white powder the same day, claiming that the stuff is the same stuff that other similar stuff is made of. He expresses his strong conviction. The judge then sends an arrest warrant to the police. You've been arrested, you have no money, the judge imposes some restrictions on you: you can't leave the country, you can't contact certain people, you have to go to court every week to sign a book. The investigation is open.
You have access to all the documents. Nothing happens without your approval and control.
This is how it works if SIA (yes, the singer) is not involved. If it is, you will be dead for a week and no one will ever find your body.
Aware of what? Government says a file is illegal? Sounds like a censorship regime to me.
Not if the key is provided to the platform operators to confirm the contents. Otherwise yes anyone could claim any encrypted file contains illicit material and people would game that system.
For what it's worth the key may not need to be manually shared to the provider as referrers often leak where people learned about the file and that source location may also contain the key or password. All it takes is one person using a web interface or addon that leaks such information. Some addons break the referrer-policy header and many website operators don't even set the header [1] in the first place. Example header testing [2]. Please test the sites you visit and kindly ask the website operators to address any missing headers.
# nginx example
referrer-policy "strict-origin" always;
Often is the case but I would still suggest setting the referrer policy should the file be enticing enough for people to register an account assuming forum ranks and further actions are not part of the picture.
I'm not sure where this myth originated—perhaps from Kim Dotcom's Twitter account? I clearly remember the Megaupload case. They knew they were hosting pirated content, didn't delete it after requests[1], and shared money with the people who uploaded it because that was their business model.
Google, Discord, and Reddit all take swift and decisive action against CSAM. I have never organically encountered CSAM on Google, and have only encountered it on Discord and Reddit because of deliberate bad actors. Outside of Reddit's early mistakes with /r/jailbait, none of these services end up being preferred by pedophile communities, because they can expect to be shut down quickly if they rally there.
Telegram has become a hotspot for CSAM to the point that it is pretty much inevitable that you're going to encounter someone peddling it just by browsing other channels.
I think the real difference is the intent. If your platform makes it extremely easy to do illegal things, and you choose not to put in the controls to stop it, and then I think it is fair that government should stop.
Kim Dotcom is still harassed because he is very vocal against the US and what is happening in Ukraine. https://x.com/KimDotcom
The US narrative on Ukraine and Israel is getting weaker. Thorns like Kim Dotcom that has a big following, Telegram that is the only social platform to access the Russian side of the events, can break the US narrative.
It is ironic that the US screams Russia did a war crime in Bucha but Israel on Gaza is fine.
True. Best source to get info from the war are on Telegram. Both Ukrainian and Russian ones. Some channels have millions of users and provide daily map updates, information about enemy positions and even information about locations where equipement is stored in EU countries.
It's better not the Kim Dotcom situation, that would mean Durov encouraged the illegal use of Telegram like Megaupload rewarded file uploads which generated heavy download traffic.
If that would be the case he would be at least a accomplice if not even the Initiator of criminal activities.
Otherwise it would be just an abuse of his service by criminals.
>> Why are these service providers being punished for what their users do?
Are we 100% certain that this is only about Telegram? I want to see the allegations, not the vague charges, before pontificating about ISP liability. These charges might be more straightforwards.
Dotcom is being prosecuted for knowingly and deliberately directing and encouraging the unlawful behavior of his users, and it's a criminal prosecution rather than a civil case because he's accused of building a (lucrative) business off the effort. You don't have to agree with the case or believe the DOJ has made it adequately (it's early to say, given the extradition drama), but it's not reasonable to say that Dotcom is being prosecuted "for what his users did", any more than it would be reasonable to say that a mafia kingpin was being prosecuted for what their street crews did at their behest.
(I have no idea what's going on with Durov, or how French and/or EU law works, except to say that legal analysis on HN tends sharply towards US norms, and people should remember that a lot of basic US legal norms, like the rules of evidence and against self-incrimination, do not generally apply in Europe.)
> Why are these service providers being punished for what their users do? Specifically, these service providers? Because Google, Discord, Reddit, etc. all contain some amount of CSAM (and other illegal content), yet I don't see Pichai, Citron, or Huffman getting indicted for anything.
WORSE, you get banned for reporting CSAM to Discord, and I guarantee if you report it to the proper authorities (FBI) they tell them to bug off and get a warrant. Can we please be consistent? If we're going to hold these companies liable for anything, let's be much more consistent. Worse yet, Discord doesnt even have End to End encryption, and the number of child abuse scandals on that platform are insane. People build up communities, where the admins (users, not Discord employees) have perceived power, users (children) want to partake in such things. Its essentially the Roblox issue all over again, devs taking advantage of easily impressionable minors.
Yep. At this point, it's clear to me that Discord is acting with malice. On top of banning people for reporting abuse on their platform, which is by itself insanity, they changed their report system [0] so it's longer possible to report servers/channel/users at all, only specific messages, with no way to report messages in bulk being provided.
They had a scandal where they allowed the furry equivalent of child porn, and quietly banned that type of porn from the platform later on. I assume due to legal requirements.
Edit:
I think the lack of bulk reporting is a pain too. They used to ask for more context. One time I reported a literal nazi admin (swastika posting, racial slurs, and what have you), but the post was "months old" and they told me essentially to "go screw myself" they basically asked why I was in the server.
We've banned this account for breaking the site guidelines and ignoring our requests to stop.
If you don't want to be banned, you're welcome to email hn@ycombinator.com and give us reason to believe that you'll follow the rules in the future. They're here: https://news.ycombinator.com/newsguidelines.html.
French lawyer here, it's difficult to know anything as of now given that's all the information is covered by secrecy as long as he's in preliminary custody.
Neither him nor his lawyers have access to the procedure yet.
This will last for 48 hours from his arrest - it can be 96 hours if they decide his suspected crimes are about drugs or prostitution, and even 144 hours if it's about terrorism.
So we'll probably need to wait for a few days before understanding what this is really about.
Telegram is genuinely the best general communication platform I have ever used, by far. I really hope he has a good lawyer and this doesn't end up getting essentially murdered for creating it. When you create something that is objectively great, everyone will use it - including bad actors.
I use telegram for some group chats, but I'm not sure why tech-savvy people would like it so much – messages are not end-to-end encrypted which makes it an inferior choice compared to even whatsapp
For one, it's the only major messenger that has an actually lightweight, well-written and full-featured desktop client rather than yet another boxed-up web browser. I might be more enthusiastic about using the alternatives if I could use the Telegram client.
It's very bizarre to see all these comments downplaying this, or implying the lack of E2EE by default somehow makes it less attractive to the average user than something like Signal.
Most people care about usability and interconnectivity first and foremost because the majority of their messaging activities are not so sensitive that they feel the need to sacrifice those things for mandatory E2EE. Call that shortsighted if you like, but it's far more common than this "encryption or bust" mindset around here.
If signal or some messaging platform could find a way to be E2EE capable all the time, with all the same usability and design as telegram, without unnecessary restrictions on users, and without it being a completely walled off garden from which your data can never be self-extracted, it would win this argument.
Same goes for things like Tutanota and a lot of these other data prisons that are cropping up which create privacy through taking away user agency.
Until then users will pick what they want for their own needs. Telegram met those needs for many.
isn't only the client side oss? server side logs/libs is more likely. isn't it amazing 30 guys handle a billion users and who knows what sort of ddos is unleashed against them.
Intriguing (and surprising to me that they offer E2EE at all), but there is seemingly no Linux build. I can't seem to find source code either (Telegram Desktop's is released under the GPL).
They used to have a page wittily named "feature matrix", which made it apparent that only Element was really kept up to date, with other clients missing features ranging from channel search to embedding images. I don't know if this situation has improved and whether the original page still exists somewhere.
Several of them have been reporting improvements over the past couple years in the weekly Matrix development blog, and I know at least one of them has both search and embedded images. You might want to have another look some time.
> which makes it an inferior choice compared to even whatsapp
I'd rather have a good privacy policy with a good enough server-side encryption than some closed-source implementation of E2EE, that we can never audit.
WhatsApp actually disallows you from reverse-engineering the app and looking into the algorithm. That begs the question, what percentage of E2EE is it really? 20%? 50%? 100%? Because there's still no way to confirm their claims of E2EE. All we have is a company with a really good track record in lying publicly, telling you that it's safe.
This is no longer true, whatsapp have taken steps [0] to make their e2ee auditable and honestly I disagree with the idea that no e2ee is better than closed source e2ee. I'm not sure why you would trust a privacy policy more than you would trust encryption, with a court order Telegram would provide your chats to law enforcement, while Whatsapp would not be able to.
This is not the algorithm being audited, it's the key. Telegram's complete algorithm is auditable, including the open source client apps. Server code is always unverifiable, so let's not bring that up.
Secondly, WhatsApp channels and large groups (copied from Telegram) are not encrypted in any way (cmiw), as opposed to Telegram's MTProto 2.0 Cloud encryption. The app is completely closed-source even with all their claims of privacy and its TnC even discourages you from reverse-engineering it.
WhatsApp Communities are indeed E2E encrypted. About channels, why would you want a channel to be encrypted when you are just a follower and cannot communicate back? In fact WhatsApp's guidelines explicitly state the following:
> Channel updates should be used to share information with followers and viewers, not as a way for admins to communicate back and forth.
Signal for mobile and Signal for desktop are different apps with different code bases. Neither is as good as Telegram's, in my opinion.
Signal is fine for messaging. Not bad, not amazing. I'd have a much easier time convincing people to switch to Signal if it would've had a client as good as Telegram's, especially for the desktop application.
That said, Telegram has been adding more and more annoying premium features that distract and annoy.
On iOS, if you turn off your Internet connection and receive a message, you won’t get a notification when you restore your connection. This problem doesn’t exist with WhatsApp, Messenger, Instagram. Quite strange.
Maybe because tech-savvy people understand the need and importance of encryption? There's of course always the exceptions that say they don't care about privacy, but that is fortunately usually a small group, at least in the tech-savvy world.
Both tech savvies and laypeople expect private/encrypted messaging app to provide the basic property that only the sender and the intended recipients can read it. This is achieved with end-to-end encryption. Techies know the term, and can understand it's not present. Non-tech people don't understand, and just rely on word-of-mouth that it's super secure, when it's not.
At least on the beginning, when I looked into it, it had a very simple and well documented API. I guess it was the only messenger you could send a message with one line of code (of course not e2e encrypted). So it's very simple to send you a message from your home project.
WhatsApp doesn't save my history. And secret services of governments of certain counties are not a realistic adversary that I'm trying to defend myself against. The usual scammers which are going to steal my identity are not the people Durov will sell admin access to his server to.
Almost all conversations that most people have are benign. I used telegram to follow journalists (essentially as a twitter replacement), how would E2EE benefit my use case?
Yeah no shit. But sharing cute cat pics deserve human right to privacy. Also, when everything is E2EE, that reduces the metadata about when you say something private. You don't want your opt-in encryption to reveal metadata about how close you are to someone.
even with the recent trend towards adding incremental bloat to the client, it’s managed to stay a simple, straightforward tool for communicating with minimal advertising and enough of the features that i need front and center.
The fact bad actors are also using it is not the problem. His unwillingness to moderate content and cooperate with authorities is.
Great UX doesn’t suddenly put you above the law.
Video and Audio calls are hit and miss. The history and search are not reliable. The interface is not really suited for big group chats... I could go on and on.
And tactics exist outside of control of communications, to capture these bad actors, to infiltrate their ranks; why are these alternatives to fighting the production of child exploitation and abuse content not brought up in conversation ever?
The masses do not care much if ones do not do agains bad actors what are in their power just their pretty platform shall keep running, they will keep this one alive too and argue for it to the death, don't worry, the masses could argue for any malicious thing that they find pretty or nice or like for some reason. Can organize some protest or even riot too in a - unencrypted by nature - group channel, there will be scores to participate, as recent example show in other precious matters, maybe can loot some good scores too on the side of the big party about a dear matter for the heart! Paris deserve the revenge! : /
Good lawyers won’t make much difference for him as the French government is tired of not being able to look at all our conversations. They want to start scaring people into compliance and verifying all their actions with the government or at least scaring the companies providing a (semi) private experience. This is mostly like just phase 1 of getting the keys that open up telegram servers to 5 eyes by getting Durov under their thumbscrews.
I actually despise it. I'm not sure if this has changed, but after being forced to make an account under my phone number, it proceeded to send a message that I had joined to everyone who had my number in their contacts and was foolish enough to share them with Telegram. This included a rather vile woman whose number I apparently inherited from a deceased relative some years before. She didn't understand this and accused me of stealing his identity. While it was simple enough for me to brush it off, I couldn't believe they would allow and even encourage such a thing, so I almost immediately deleted my account and instead tried out one that wasn't so eager to lap up my personal details.
You like it better than Signal? The only thing I know Telegram for is several of my girlfriend’s relatives being exposed to crazy scams and right-wing conspiracy theories and misinformation on it.
Signal has better governance, plus e2ee mandatory, while on Telegram is optional and rarely used. Telegram also has a “social media” aspect with huge groups and channels, which attracts many people, but is a depart from the whole secure chat messaging it’s still known for.
This is exactly my experience as well. I have never actually used telegram as I was early a signal user and never needed it but my ex used it. All she ever used it for was conspiracy garbage she would follow. Anti covid vaccine doctors and groups mainly. The amount of misinformation she tried to show me and every time I would show her how it was fake she still would not believe me. Then she was even scammed out of $10k from telegram when she fell for a romance crypto scam. The conspiracy stuff is a main reason we broke up it was every single one from flat earth to fake moon landing to all the covid world economic forum world take over and on and on. Most of these came from telegram.
The reason you consider all that misinformation is because it's politically sensitive information and every single other social media company and the vast majority of western-aligned media censor it, so the only place you come across such information is in the uncensored Telegram platform, and assume it must be false because all the other media you consume tells you so.
No I do not assume the moon landing was fake because other media outlets won't cover it. I do not think the earth is flat because news outlets won't cover it. The list goes on. I also do not think the covid beliefs I have come from the fact that mainstream news outlets won't cover it. I strongly believe a narrative was painted and information censored and controlled when it did not fit the narrative they wanted. I was first to criticize the Canadian government on how they handled the vaccine rollout and mandates. I did however spend a lot of time doing my own research and listening to any information my ex showed me and also researching those sides to things and formed a well informed opinion. I sought out other opinions and studies. I did my best to follow the science. Not at all what you are implying. In the end my ex was only interested in the opposite which was any narrative that said the vaccine was poisonous, we are being forced to take it because this is a world culling and in the next few years population is about to crash as it has now effected our sperm and dna so we will not be able to have children and the crazy thought kept on coming almost all fueled by telegram chat groups pushing that stuff.
There is no random hassle that get your account/group/channel deleted(unless you are doing real CP, which is a giant red line of telegram) or random limit for size of the group. And easy to use. That's it.
Also the apis are almost completely free, so you can do lots of creative projects for fun.
Most people dont give a shit about security. Telegram is easier to use than signal and has more features because auto encryption makes stuff like public chats difficult.
Exploit their smartphone then email tidbits of their more outstanding Facebook chats, SMS messages, maybe some nudes, and recordings of their phone calls. You will see the "I don't care about security attitude" do a hard 180 real quick.
Many defend Telegram by likening it to a neutral platform, akin to TCP, claiming it merely provides a service without responsibility for the content. However, this comparison fails because TCP is a simple protocol with no ability to control or monitor content, whereas Telegram holds keys for most data and is capable of content moderation. Unlike E2EE platforms like Signal, which cannot comply with requests without breaking encryption protocols, and whose jurisdictions often prohibit forced backdoors, Telegram's refusal to cooperate, despite having the ability, shifts it from being unable to act to willfully aiding or sheltering criminal activity.
In this context, Durov's arrest isn't unjust - Telegram knowingly allowed illegal content to thrive while ignoring legal obligations to assist law enforcement. Refusing to provide data when you can, under lawful requests, is tantamount to facilitating or even protecting criminal activity. This dismisses the complexities of cross-jurisdictional law enforcement, but the general concept remains valid.
By the way, I’m not a fan of censorship, but I do believe that a platform’s baseline for moderation should be compliance with the current laws in each jurisdiction, rather than the founder’s personal moral judgment.
> TCP is a simple protocol with no ability to control or monitor content, whereas Telegram holds keys for most data and is capable of content moderation.
What?
And how do governments of the world block websites, services or the entire external web (as in China)?
> Telegram knowingly allowed illegal content to thrive while ignoring legal obligations to assist law enforcement
What? You think Telegram must read and have the means to know the contents of all chats on its platforms?
Forcing people to de anonymize speech and enforce state censorship (“moderation”) is not an appropriate baseline and says more about the corruption of France than about Telegram. At this point how are they any different than the CCP? Each wants to paint their censorship and authoritarian tactics as moral and legal and justified.
"Lol, are we just calling everything ChatGPT now whenever something is remotely coherent? Unless you're sitting on some actual proof, that claim feels like a lazy handwave. Like, maybe it's just... a person? Not everything well-written is AI-generated, you know"
---------------------------------------------
Write a witty, hackernews comment responding to this post from a user:
"FWIW this post is ChatGPT generated at least partially."
Avoid using all language choices characteristic of text which was generated by ChatGPT. Call the user out for having no evidence. Add a few spelling errors characteristic of folks typing on their phone
When an assumed dissident to Western official orthodoxy is charged, your so-called ‘reputable sources’ can be seen as merely parroting official talking points and propaganda. Considering them reputable is a form of naivety.
I can only once again quote this section of Telegram's privacy policy verbatim:
> 8.3. Law Enforcement Authorities
> If Telegram receives a court order that confirms you're a terror suspect, we may disclose your IP address and phone number to the relevant authorities. So far, this has never happened. When it does, we will include it in a semiannual transparency report published at: https://t.me/transparency.
And interacting with their "Transparency Report" bot yields this:
> [...] Note: for a court decision to be relevant, it must come from a country with a high enough democracy index to be considered a democracy. Only the IP address and the phone number may be shared.
In other words, they are cherry-picking the jurisdictions they are even choosing to recognize, and within those they are again cherry-picking "terror suspicions" as the only class of law enforcement requests they will honor.
If I were the CEO of a company maintaining such a position, I'd be a bit more careful on where to refuel my jet.
This seems to be a blatant lie. In russia telegram is wdidely used to prosecute people and crack down on descent. KGB (today know as FSB) seem to have free access to anything not encrypted on the platform.
I have no reason to doubt that, and evidence supports that statement (i.e. the fact that it got unblocked in Russia, after previously having been blocked).
They could in any case very well be selectively applying that policy. But if they were fully cooperating with French authorities, why would there be a warrant?
Why would KGB would share their toys with western powers? They have their ring of dictatorships to use it as one of most potent propaganda and tracking tools.
I really hope this doesn't become an "encryption bad" cudgel.
> The main accusation by EU authorities concerns Telegram’s encrypted messaging services, which were allegedly used to facilitate organised crime. One investigator stated that ‘Telegram has become the number one platform for organised crime over the years’, underlining the perceived link between the platform’s privacy features and criminal activities.
It's unclear to me how much this "perceived link" is on behalf of the author of the article, as opposed to the prosecutors themselves.
Telegram doesn’t have mandatory e2ee, which puts it in this kind of situation. Having data on crime committing and denying access to it from authorities is a crime itself in most countries.
Right, I think that's an important distinction to make, but it's not really one that's explored in the article.
The article doesn't say anything about E2EE specifically, but I think it would be understandable to "read between the lines" and assume that Telegram is in trouble for offering E2EE - but I think/hope that assumption would be incorrect.
Because the post cooperates with law enforcement. The issue here isnt that criminals used telegram, it's that telegram didnt cooperate with the state. If you want to have a policy of non-cooperation you cant hold the unencrypted data.
1) The guy was marketing an open-text messenger as an e2ee messenger
2) Because of (1) he was able to moderate it and help law enforcement with locating criminals but he was not cooperating
3) He was extremely cooperative with Russian "law enforcement", as multiple deanonymised activists with leaked chats, contact lists and location history found out
So, a hypocrite got what he deserved.
The overall trend of EU attacks on privacy is very concerning, but Tg is not a private messenger, it just was marketed as one.
> Pavel Durov, Telegram founder, arrested by France following warrant - The Jerusalem Post
> The alleged offenses include: terrorism, narcotic supply, fraud, money laundering and receiving stolen goods.
For those unaware, all channel on telegram are NOT ENCRYPTED. They are stored in plaintext on telegram servers. All chats that are not 'secret chat' mode (single device to single device) are NOT ENCRYPTED (stored in plaintext on server).
This is not about encryption, it is about the plaintext data and the organized crime happening in these channels.
Signal group chats ARE ENCRYPTED by default. It is actually not possible to send an unencrypted message on signal. This will not pivot into an E2E issue, and will not affect signal which has set itself up to not store unencrypted content on it's servers.
EDIT: Also possibly this may be a factor in the decision to arrest:
> finance.yahoo.com
> • 2 weeks ago
> Telegram adds new ways for creators to earn money on its platform
> Today's announcement comes as Telegram reached 950 million active users last month, and aims to cross the 1 billion mark this year. Earlier this year, Telegram founder Pavel Durov said the company expects to hit profitability next year and is considering going public.
> They are stored in plaintext on telegram servers
FYI, this is a totally misleading and false claim.
Telegram uses the MTProto 2.0 Cloud algorithm for non-secret chats[1][2].
In fact, it uses a split-key encryption system and the servers are all stored in multiple jurisdictions. So even Telegram employees can't decrypt the chats, because you'd need to compromise all the servers at the same time.
Telegram's algorithm has been independently audited multiple times. Compared to other apps like WhatsApp with claims of E2EE and no body of verification and validation.[3]
> So even Telegram employees can't decrypt the chats
I very much doubt that. If Durov wanted to, they could decrypt all of those messages.
That fancy encryption system is worthless when someone can hijack the session of any of the users in a chosen group. This is a risk in many crypto messengers, but those usually come with optional key verification whereas Telegram doesn't have that outside of encrypted one-on-one chats.
This is likely why the grabbed Durov, he has the keys to the kingdom. Telegram is a remarkably small company and not a 800lb gorilla and it would be very easy for him to provide whatever they need if he folds.
Because of the nature of the encryption, it allows more convenience compared to WhatsApp and Signal. For example, on Telegram you can (and we do) have a million people in a group without exposing their phone numbers. This has proven itself to be extremely useful to protestors. Signal failed massively, you couldn't add too many people and you always had the risk of exposing the phone numbers.
Along with that, you can use Telegram on as many devices as you want. The chats instantly appear after login. WhatsApp and Signal both are lacking here.
So there are always tradeoffs when it comes to encryption and convenience.
Telegram's focus has been on the convenience side and providing assurance using a clean record of protecting user-data from governments, which is why Telegram was created in the first place.
Can the encryption be improved? Of course yes! I'd love to! but I think much of the criticism by the WhatsApp loving crowd is not only disingenuous, but also harmful.
I agree, that is very convenient.
Also for the secret police officer..
I use telegram as social media, but I really would not use it to organize protest somewhere. Then the whole safety depends on whether Durov made a deal with the secret police, or them infiltrating the servers to know everything about anyone involved. What they liked at what time, what pictures they shared, etc.
That’s my concern as well, maybe none of the devs have the capability, but if -anyone- does it’s Durov, so why not just grab him under false pretenses and throw the book at him, trying to scare him into compliance with anything they want or face the rest of his life in the worse French prison they can find for him.
Unless I’m missing something, your mproto link only covers transport level encryption not storage.
It doesn’t include E2E encryption in the scheme only client to server.
Whether the server stores it as plaintext or not, is moot to the point of having telegram itself be able to see the chats because they hold the encryption keys of the server and therefore can be made to comply with legal requests.
The person you replied to may be incorrect on the aspect of plain text but imho they’re right that it’s not really relevant in this context.
Encrypted storage would be relevant for the case where a server is compromised by a hacker.
I can't open the telegram.com links, blocked at work :/
But the Arxiv paper says:
"We stress that peer clients never communicate directly: messages always go through a server, where they are stored to permit later retrieval by the recipient. Cloud chat messages are kept in clear text, while secret chat messages are encrypted with the peers’ session key, which should be unknown to the server."
So it doesn't appear to be encrypted-at-rest, but without reading the telegram documentation I can't verify that.
This rebuttalakes no sense to me. What you cite is about about transport encryption. App -> Server. The end of the process is that the receiver (Telegram servers) receives a decrypted (plaintext) message, just as kelsey98765431 is saying.
> Compared to other apps like WhatsApp with claims of E2EE and no body of verification and validation.
We do have at least some empirical evidence that WhatsApp is properly encrypted. WhatsApp's cryptography has made judges in my country foam at the mouth with rage so hard they ordered retaliatory nation wide blocks of the service at least twice.
People are right to distrust Meta but I for one am glad that everyone I know is using WhatsApp. I also have Signal and Matrix but a grand total of zero people message me through those.
> We do have at least some empirical evidence that WhatsApp is properly encrypted
so do we. Telegram's MTProto 2.0 has been audited multiple times by independent researchers, compared to WhatsApp's closed-source claims of E2EE.
I'd rather trust a company with a proven track record of no security incidents and fight for user privacy than a corporation which lies through its teeth time and again.
What is stopping Telegram from signing in as you and reading all of your past messages by changing how the authentication logic is handled for specific targeted users? Not saying they have done this, but they obviously could.
We can agree on the statement "Telegram does not cooperate with law enforcement authorities".
This is however something completely different from and largely orthogonal to "Telegram does not have access to their users' message contents".
The fact that they are consistently claiming the former and the latter makes them seem extremely untrustworthy to me.
Gaining my trust requires truthfulness and transparencies about the capabilities and limits of a service provider's technology (but of course is in no way sufficient).
> FYI, this is a totally misleading and false claim.
No, you seem to have have in fact fallen for Telegram's continuous intentional misinformation.
The only thing that matters for whether we can call something "encrypted" or "plaintext" (or more precisely, "end-to-end encrypted" vs. "storage encrypted at rest" or "encrypted in transit" etc.) is whether they, the service providers, can access it themselves.
Would you argue they can't? And if so, how come can I log in to my Telegram account using only SMS verification and access my old messages?
And non E2E chats by default is an intentional design desision.
Pavel previously gave comments about these tradeoffs:
In some sense it is better design than Whatsapp's e2e by default BUT 99%+ users have an automated backup to an un-e2encrypted storage such as Google Drive.
Yeah. I have no idea how Telegram got this reputation for privacy.
I'd like to point out WhatsApp chats are also end-to-end encrypted, just like in Signal. People aren't wrong to distrust Meta but I'd like to point out that WhatsApp encryption often makes judges here seethe to the point they order nation wide blocks of WhatsApp out of spite. The fact everyone I know uses something this secure makes me very happy. It's not perfect but since network effects makes alternatives unusable I'll take what I can get.
See my comment above about the unencrypted backup.
It's basically a UX tradeoff:
You can not promote default E2E + no autobackups -- people in mass are not ready to lose their data when losing the device. Nor they are ready to store the key separately in a confidential manner. Nor they are ready to manually transfer the key among different devices.
All this UX situation is defined by Moxie (the author of Signal and Whatsapp encryption) in his blog post about PGP/WoT concept meeting the reality https://moxie.org/2015/02/24/gpg-and-me.html
So in fact as the average user you have either:
1) E2E + unenctypted autobackup (Whatsapp)
or
2) no e2e by default and separate e2e secret chats (Telegram) that are available only on a specific device.
In the first scenario all your chats inclusing the most sensitive are available by the law enforcement by issuing a warrant to your file storage provider.
In the second scenario you potentially can spill some sensitive information in default non-encrypted chats.
What is worse? I don't know. But I use both Telegram and Whatsapp with backups turned off. So I'm losing all the Whatsapp chat history when using a new device while losing only secret chats In Telegram (not a problem for me since I delete them often manually or set a self-destruct timer anyway)
Backups are encrypted now. Looks like they improved it.
I get it. I'm a privacy and free and open source software enthusiast. It's not perfect. It certainly is better than alternatives though. We know for a fact that it pisses off judges and authorities. That's a major sign that its working. You should be concerned when they stop complaining about it, it means they got in.
Judges and authorities complaining is not a proof that encryption is good. Not cooperating with court will have the same effect, which is exactly what Durov is allegedly accused of.
> It stores it encrypted with encryption keys split across the globe.
The physical storage location is completely irrelevant. What matters is access, and they have that.
Telegram has full operational control over these keys, as demonstrated by the fact that anyone that can perform SMS verification is able to access past messages on an account, and SMS-OTP can in principle not involve any cryptographic operation, as there is absolutely no user input.
> Not perfect, but multiple legal jurisdictions would have to be subpoenad for Telegram to read your non-secret chats.
Thats not how legal works.
for example if I am an EU based judge and I issue a warrant for getting data from a company in a case related to something important (your values may vary, but lets say its not about parking fines) then if your company wants to continue to operate in the EU, you need to pony up the data, or tell them why your can't comply, rather than won't
Having your data stored with keys that you control isn't an excuse.
This is effectively plaintext, in that one entity has all of those secrets for everyone. That's one entity to subpoena.
If that entity doesn't comply, governments will get upset and charge your executives with crimes if they get the chance.
Different jurisdictions makes it harder to kick down the doors and get the keys, but it doesn't change the fundamental problem.
"Nuh-uh, I put all those records in a box in Switzerland, you can't have them" does not work well for US citizens, unless the government fails to even notice the box.
This is such an ignorant comment I am really disappointed at reading this here.
Besides the protocol used by Telegram being publicly available so you can easily confirm in 5 minutes that what you're saying is completely wrong, but you're also saying that law enforcement can totally see all those plain text messages hosted by Telegram, yet they choose to be really upset about it anyway despite it being, according to you, the best possible honeypot ever created with all criminal activity readily available for their peruse. Why, I ask you, would law enforcement want to stop such an app??? They would be completely silent about it and enjoy catching all criminals in it who are "ignorantly" thinking their messages are safe, wouldn't they??
Given the amount of baseless comments like yours on this topic, I can only imagine there's a concerted effort here to misinform everyone to make Telegram look bad so actual criminals move away from it to some more law enforcement-friendly platform. I have conflicting feelings about that, as perhaps the intention is noble, but I can never agree with misleading people by spreading misinformation and plain lies.
Law enforcement totally could see all those plaintext messages, if Telegram would honor their requests. But they don't, hence their CEO is being detained.
That's a position he knowingly and willingly maneuvered himself into. Compare that with e.g. the way Signal answers subpoenas: https://signal.org/bigbrother/
> Besides the protocol used by Telegram being publicly available so you can easily confirm in 5 minutes that what you're saying is completely wrong
There's absolutely no need to analyzse the protocol, since you can just perform a high-level mud puddle test [1], and Telegram fails it. I've tried this myself.
Yes, the data is encrypted in transit. But Telegram can decrypt the data.
We can see that's true, because when I add a new device I can get into all my group chats.
Only if I explicitly "Start secret chat" does something else happen.
Telegram is sitting on a lot of group chats where a lot of horrible things are happening that governments want to see... and gets upset when Telegram doesn't use this access to share that information in response to lawful orders.
> I can only imagine there's a concerted effort here to misinform everyone
Assume good faith-- it's in the guidelines. I have been here just as long as you. I am not part of some shadowy conspiracy to make people think that Telegram security is bad.
I feel like people just don't understand the term of art "effectively plaintext".
Alternatively, if you thought I was talking about secret chats in general-- note that we are in a subthread talking explicitly about channels and non-secret chats:
"For those unaware, all channel on telegram are NOT ENCRYPTED. They are stored in plaintext on telegram servers. All chats that are not 'secret chat' mode (single device to single device) are NOT ENCRYPTED (stored in plaintext on server)."
Data that is transmitted or stored along with the keys is effectively plaintext, which Telegram does. The data is effectively plaintext on my device, at Telegram, and on the group members' devices, even if it is not plaintext in-between.
Data I send to a website over TLS is effectively plaintext on my computer and on the other side; in transit, it is not.
It all comes down to your threat model. Encryption does not protect information from entities who hold the keys to decrypt that information.
> It's not. They use a split-key encryption system so it's not exactly the same as storing the keys where the data is.
Yes, again, it all comes down to your threat model. No one can kick down the door and get to the keys.
But Telegram can get to all the keys, and thus can be legally expected to. The data is effectively plaintext to Telegram.
> Is MTProto 2.0 Cloud Encryption plaintext? No.
Just to note: "effectively plaintext" has been in use for a couple of decades as a term of art. We don't say it's plaintext, because it's not. It means there's effectively no security properties lent by the encryption.
For example, my web browser encrypts a few passwords for me and stores them on disk, but doesn't need a cryptographic secret from me to decrypt them; they're effectively plaintext, because no one has to break any encryption to read them.
Indeed, here's a thread on HN from 2013, where Durov is participating, where people are using "effectively plaintext" in exactly this way to describe exactly what we're talking about: https://news.ycombinator.com/item?id=6937097
Browsers should be interacting with the OS to require something (like your system password, Touch ID, etc.) to have unlocked the vault before being allowed to auto complete.
Yeah, I don't doubt that it can be improved. I hope it does because Telegram is not a fringe messenger anymore. There can be improvements made to the infrastructure, so that they don't keep facing these issues again and again.
There was no discussion of whether it can be improved. I was just telling you that it meets the established understanding of the term "effectively plaintext," which you were seeming to disagree with.
Yeah, I would still disagree because everything is effectively plaintext in the end. The only difference is how you derive the key. There are levels of encryption, that is true but I think calling an actual encryption as 'effectively plaintext' is wrong.
Telegram CEO has access to all keys and therefore all chats. Matrix foundation has no such access. These two examples should explain the difference between "effectively plaintext" and e2ee. The main difference is not how someone derives the key. It's who can do it.
Signal does not have access to the keys for the text. The government can not decrypt your signal chats no matter how much the company might want them to.
No, end-to-end encrypted systems are not effectively plaintext. That's a distinction anyone familiar with cryptography is well aware of, but Telegram has been gaslighting their user/fanbase and many journalists about it for years.
It could be worth a try to extract the keys of one server with a liquid nitrogen can and a cold boot attack. Or something more advanced that isn’t documented on Wikipedia.
RAM can be XOR'd with little latency with hardware acceleration with a key in a slightly - separated secure enclave that will degrade if upset too rapidly, similar to a virtual da Vinci cryptex.
radio/bluetooth/em/sensitive/proximity warning switches to unmount virtualized volumes all in a quasi-state-sanctioned-"contact center" in middle Ukraine.
They are trying their best to prevent the inevitable; the ungovernable, untaxable, uncensorable, un-surveillable commerce and communication platform that will eventually arise from the amalgamation of human's pesky technology and its crossroads with the human condition.
The hate for all things labeled "crypto" (convenient poising the well/doublespeak) was a (partially) government sigh op astro-fabri-exagerated to sway public opinion against anything "crypto" so that an ungovernable, decentralized, general trust-less computation protocol/escrow/rep using zkp+ and hormophic encryption was not able to be realized before the alfabit bois got a chance to mole into the development pipeline and backdoor the inevitable Merchanti Ultimatum; anything less would be a massive national security threat globally.
Anyway, while it's possible to activate a Telegram account without a physical phone (using some temporary number services) or using an (relatively) anonymous SIM card 99% of users use it via Android or iOS and that's means there is no need to grab data from Telegram, USA gov. as well as Apple or Alphabet could simply milk them from their OSes, virtual keyboards and so on.
It's really cloying how many do focus on the service instead of weighting the ecosystem...
It's Kit Klarenberg of Grayzone. If he claims X, you should believe the opposite with much better than even odds. It could have been a hint to you when the news source of your choice attributes everything in the world to the CIA.
Totally irresponsible to cut off the next part of the headline that makes clear he is accused of not cooperating with the authorities on these things. He’s not accused of doing them himself.
If you’re going to edit the headline you’re taking a responsibility. Words and sentences and paragraphs can’t just be cut in arbitrary places any more than code can.
I find it ironic. As a kid growing up with the start of the internet, many Europeans and Australians implied the US would soon be an authoritarian surveillance state. I even deleted all my comments and accounts because I believed it (as a kid). Now, about 20 years later, I would wager Europe/Australia will reach that point first.
I sometimes wish I could bring a crystal ball back in time and see how people would react to the future... I think they would be horrified at how far we've let corporations and governments into our lives.
But we should let corporations into our lives that aren't even following the laws? Frankly, the Telegram users I've seen here and on Reddit really don't make a case for themselves, with all the sweeping accusations they throw around without knowing anything about the case.
20 years ago it was still reasonable to assume that the person you saw posting something was actually real, that the content you saw was actually written by somebody like you, curated by people like you. It's not like this anymore. It's time to stop being naive. The road to hell is paved with good intentions and one of them is granting foreign entities unrestricted access to the minds of your fellow countrymen.
I don't disagree with your concerns. In fact, I think they are overlooked by so many people.
However, I don't believe justifying or creating a surveillance state is the solution. We can't save people from themselves, it will be an arms race where the only casualty is our rights.
If people were using my backyard to sell drugs or CSAM, I knew it, and did nothing about it, I would absolutely be guilty of facilitating these crimes. I fail to see how the situation is different for Pasha.
> if the government knows about someone selling drugs and does nothing about it, you can sue the government.
at least in the US, there are only a few limited times the government is open to civil litigation - and nonenforcement of the law is not usually one of them
If you were the one hosting it on your own server and storing CSAM that people were sending, yeah, you should be arrested. Nobody cares if you upload a messenger to github, there's scores of them.
i think it is an analogy that is useful in elucidating what people view as the morally relevant aspect.
i don’t think it makes a ton of sense to me that the encryption or lack thereof is the relevant factor - if we think that proprietors of unencrypted messaging should be required to turn over chat logs, then encrypted messaging should probably be illegal or we have left a massive loophole in.
the scale being the relevant issue is another thing as well. i worry that if you somehow create a protocol for dencentralized messaging, you somehow then become liable for misuse of what could have been an academic project, etc.
You mean if you’re also running servers for it that store all the data in a format you can read and refuse law enforcement requests in your jurisdiction.
This is a horrible analogy, is your side project giving free cloud hosting of up to 1.5GB files for 900 million users with no moderation? Yeah, if it is you should go to jail too if you didn't address the issue of CSAM there for a decade.
Whoa, it's absurd if true... I fail to see how being responsible for not cooperating with authorities can be turned into being accused of these crimes. And I don't care for the legal gymnastics which makes this possible - the law exists to serve the public interest and is of no inherent value.
In every country I know of, the freedom to not be responsible for what your user's do on a platform includes certain requirements. Removing illegal content is the very least a platform must do.
Every country has their own definition of "illegal" content, but things like CSAM are illegal everywhere, and that's one area where Telegram never really bothered to take action.
The arrest warrant has been out for a while, so I doubt Durov got himself arrested by accident. He probably has a plan, or at least good lawyers.
Not true. That charge was dropped. He was convicted of numerous other charges related to running Silk Road: Engaging in a continuing criminal enterprise, distributing narcotics, distributing narcotics by means of the Internet, conspiring to distribute narcotics, etc.
Why do I bring that line of reasoning up? Because an actually exhaustive traversal of 2nd-6th order effects renders everyone complicit in something, especially in the presence of things criminalizing not looking for things.
You should never count yourself out of being a complicit party for something, and realize that if you're going to impose a penalty on a group you consider a "them"; it is likely only a matter of time invested enumerating your effects in the world to make evident something they did has been enabled by you. Even if only by you not making the choice to do something about them.
Bad things will happen. We can't prevent them all. And trying to zero any class of bad thing has so many onock on effects, that even the most trivial sounding solutions need be met with strictest scritiny to figure out what they will break.
The Silk Road was designed and marketed explicitly towards criminals to facilitate crime and AFAIK had practically no other uses. So, it's not a reasonable comparison.
So if I own and operate a hardware store (or any other storefront) and do nothing about people who are clearly using it to deal fentanyl, I'm absolved of all wrong doing?
Rights don't give you super power to ignore laws. He failed to follow judicial orders. If he doesn't want to follow French justice orders, then leave France for good.
The article is very poor mixing the actual charges with unrelated European Union concerns. The charges are not linked to encryption. Most of Telegram is unencrypted anyway.
The issue is with Telegram non cooperation and lack of moderation of publicly available content.
Cell phones are encrypted over the air, but they aren't end to end encrypted, and it's safe to assume that a provider will wiretap the plaintext passing through their backend if the authorities ask for it.
Telegram is not end-to-end encrypted in the way other messaging services are (whatsapp, signal), it is encrypted but Telegram holds the keys and are able to decrypt any messages not sent on a "secret chat" which is not the default, or any messages on a group chat
Some time ago many people in Russia wished that Russia will become a normal European country. I guess the wishes were granted, but not in a way we wanted.
I'm genuinely curious to what would happen with Signal if the same bad actors moved to their platform. Would France also be arresting its creators for not properly moderating and giving backdoors?
Signal doesn’t have public groups/channels. Moderation obligations only apply to public dissemination. If I send an email to a private mailing list, the involved email providers have no obligation to moderate its contents.
Signal always sounded like they have better lawyers and are not as antagonistic. Police work is not only about encryption. But a lot of it involves metadata. And you know, just booting bad actors from the platform.
They also don't have public groups with questionable material, as far as I know
This would imply that just E2EEing everything would give you a free pass not to moderate anything, which seems very naive. I doubt the judges would care about their self-imposed technological limitations.
If I sell shovels, it's not a self-imposed techical limitation that I don't have a way to detect and prevent anyone from doing something illegal with a shovel. Even after the technological means exist to include an intetnet connected spy device in every shovel.
Secure message passing is no different. The "shovel", the thing one might sell, is just the application of some math which does something and not any of the infinite other things.
It's not a shovel he's selling. It's aching to hosting a gallery portraying disgusting crimes done to actual children. Digital or ink, Durov can't just go behind freedom of speech in this matter.
This isn't about Durov or Telegram, it's about "E2EEing everything would give you a free pass not to moderate anything, which seems very naive"
An e2e communication system is just a shovel, or a car, or a saw, or any other tool that does a specific thing for which there is any valid need, which there absolutely is. Thinking that there is any logically valid way around that is what is very naive.
I agree with you, but also sympathize with the technical issues of moderating encrypted information. Thinking a bit about it, there would need to be a global man in the middle or a requirement for all applications to decrypt/re-encrypt centrally for moderation.
There's a difference between breaking the encryption of a single target after a warrant or handing over previous data which would need some kind of backdoor in the encryption.
It's interesting that he chose to fly to France knowing fully well that he will be arrested. It is also not surprising, because he has French citizenship and France does not extradite its citizens. Looks like a tactical move on his part when his legal team told him he ran out of options and he much preferred to spend time in a French prison than in a Federal prison in the US.
I haven't got access to the timelines, but I'd be surprised if his arrest wasn't negotiated with his lawyers. He had no reason to go there, but chose to do so.
What a sad way to try to infer this has anything to do with Telegram being so secure Durov has to be arrested, when its really about Durov letting CSAM sit on his servers for a decade.
A friend was just dragged of the plane and arrested in Paris recently for “money laundering”. It was completely baseless using falsified evidence. They wanted information but didn’t want to obtain a warrant or subpoena to get it. Eventually they let them go. Sad because this person was a total Francophile. Not any more. Sad state of affairs over there really.
It's so beyond my mind that people are finding reasons and excuses for the authority to justify the arrest. Let it be crystal clear that this is purely politics motivated. There's probably 20 other ways to address the concern of the platform. Let me ask you this, will France do the same if it's a US company or the founder is a US citizen?
Telegram has always been just one slip away from this kind of stuffs because it's a centralized service. Depending on how laws are read, it could be seen as complicit in various crimes, and it's politicians who decide how to read those laws, not tech people. It might be the end of those good days where things were so simple and easy.
Meanwhile Jihadists roam the streets stabbing people in the neck let in by Politicians the West needs people because of Demographics etc. Should those Politicians be held responsible for the actions of people they let in? Equal standards should apply should they not?
In the meantime French government is promoting Olvid that claims “Your exchanges leave no digital trace. No one will ever know who you’ve discussed with.” How does it make any sense?
There is so much oddness surrounding this.. First, I don't really see how you can prosecute ideas, because as much as authorities will try and narrowly-define this case as being about moderation (of a platform), and cooperation with authorities, ultimately this is really an attempt to prosecute the idea/concept of publicly available 'e2e' encrypted communications. Second though... How does that list of charges only amount to a maximum of 20 years ? lol
In the end, it is not the evil ones who arrested him for very evil reasons (Russia, Iran, etc), but the good democratic countries who did so for good inclusive progressive reasons. </sarcasm>
I'm generally very pro EU, but this anti-encryption stuff they try to pull these last couple of years needs to stop. If it's proven that Pavel Durov is facilitating bad actors with purpose, that's a different story, but creating a secure messaging platform by itself should not constitute a crime.
Telegram is not a secure messaging platform. By default Telegram is not encrypted at all. Only "secret chats" in Telegram are encrypted. Telegram groups are not - and those can be made public and basically are just Telegram hosting content on their servers for you.
That's a popular lie, Telegram uses the MTProto 2.0 Cloud algorithm for non-secret chats, which is audited and verified by multiple independent parties. For example WhatsApp claims it uses EE2E encrypted chats, how ever these claims are unverified and not audited. Also their chief executives are not in jail, coincidentally.
You can consult these links if you want to read more about it:
This is a Ukraine channel. You can preview it in a web browser. If Telegram can enable that functionality, then it means they have the complete capability to serve the content of the channel. Same story if they can scroll back an existing channel to new users.
Channels were meant to be public. No-one ever claimed encryption for channels since it is nonsense.
You claim that only secret chats are encrypted in telegram, which is straight not true. You can pull up a link to public channel and everyone can preview the posts, that's obvious. You cannot do the same trick with group chats because they are private and encrypted using MTProto
MTProto is pretty much transport layer encryption. After the MTProto decryption occurs, Telegram servers still ultimately receive your unencrypted message encoded as a https://core.telegram.org/method/messages.sendMessage to send it to the recipient and to store it. How do you think it is possible that you can sign in on a new device and get all of your old messages? There's a reason Signal can't do that.
MTProto is not pretty much transport layer encryption, Telegram servers receive messages encrypted with an auth_key which is created during registration directly on the device and never exchanged via network. When you sign in on a new device, you have to communicate the keys with your other devices, and there is also a second-factor user defined recovery password in place, which is not stored or known to the telegram servers. If you loose your permament session you may be locked out of your account and data forever. Everything is documented at the links, audited and verified, and everything is possible - you can just read how it works.
Why do so many criminals use Telegram over signal, I don’t get it, it’s obviously a worse choice, so much more data is up for grabs on the telegram servers.
Or is it just a reputation and signal is just as popular?
I don't know anything about this guy or the basis of these charges but if he is only "guilty" of operating a messaging platform with the option of end-to-end encryption, thus can't let law enforcement tap into private communications when customer's enable that option, how can he be held responsible for the criminal actions of those customers when he isn't even aware of the actions and physically cannot tap into them himself?
This seems like some heavy-handed government coercion.
He will be released as part of some trade. Yesterday Moscow arrested someone from the West with 1 kg of heroin will label "for distribution" . That's what drag dillers do lol
Telegram is a darknet, masked as a messenger , no matter what you think about it.
The great proper way to solve such problem should be AI, that monitors illegal activity and acts as a legal mediator, if it found something bad, red flag, and in this case, release the conversation to authorities.
I think people are missing the fact that this could be just a power play situation and intel gathering at intelligence services level. We don’t know everything, and the stakes may be high right now, so maybe the French and more broadly the west, are trying to gather info and see what is really going on while trying to get an advantage. So a larger geopolitical power play here and way less about morals, laws, ethics, precedents, comparable other cases etc, etc…
My impression is that the arrest has to do with telegrams failure to cooperate with law enforcement. Hardware manufactorers don't generally have the ability to monitor and moderate what their product is used for. I guess one could imagine a hardware manufactorer being arrested for refusing to turn over a log of sales or similar.
Obviously god has no such restriction, but he's probably outside French jurisdiction, and i don't think they have an extradition deal in place.
OP's article is from a crypto blog and I think it misses the big picture.
The Spectator [0] is imho more enlightening:
There has been speculation that Durov’s arrest is linked to his most recent
trip to Baku, Azerbaijan, where he reportedly attempted to meet with Vladimir
Putin during a state visit last week. In recent weeks the Kremlin has begun
suppressing access to Youtube and WhatsApp in Russia in the wake of Ukraine’s
Kursk incursion. There is speculation that Durov may have been attempting to
persuade Putin to leave Telegram alone – but the Russian leader refused to meet
him. The fact that Durov flew from Baku to Paris in his private plane, knowing
that the French had a longstanding warrant out for his arrest, is one of the
unanswered mysteries of this story.
So it seems the mystery has a reasonable explanation. There are lots of accidents in Russia, and Pavel probably chose France as the safest option.
There are now also rumors that Russian officials got instruction from above to delete all their communication from the platform.
We will have to wait for more information.
EDIT: I will add that Pavel already lost control over VKontakte in 2014 to the state. By then he had already started Telegram, and so he left Russia back then. (Being denied a meeting with Putin gives Prigozhin saga vibes.) I think he knew the net is closing.
This is how censorship works in developed democracies. Telegram was the last platform where point of views different from sanctioned by the powers that be could be expressed (to a limit--it is still in app store after all). You've done nothing for dissidents until you are charged with CP.
Kim Dotcom being extradited and this one now coming out of left field...Shit just got real.
I suspect this is just the beginning. Western governments are losing control of their "narratives" and no one is buying the propaganda. This is deeply unsettling for those in authority, so it is only logical that they would go after social media that they cannot directly coerce/control for their agenda. But not just the companies, their owners in particular.
Also likely this is a message for Elon and others - comply or go to jail.
Its hard to argue this is tinfoil nonsense when Meta has been accused of child exploitation [1] yet Zuckerberg never went to jail - bc he complied. [2]
Its time to get our collective heads out of the sand and acknowledge that governments are NOT democratic anymore - they serve only to preserve themselves, not us!
Why? He seems to be happily providing information to KGB (sorry, FSB), russian security service or ignoring backdoors they already have.
In fact, telegram is one of the most powerful disinformation tool employed by russia.
None of sane and savvy person who stands up to autority would use telegram.
I was talking with someone VC-ish, about my frustration with all the endpoint hardware and communication software being hopelessly insecure for various real threat models.
But that, even if I somehow managed to pull off a successful superior solution, as a startup or an open source/hardware project, I didn't want to see all the worst criminals flock to my service.
Also, I didn't want to be in an adversarial relationship with my own government at times, nor to secretly compromise the solution.
(Probably the compromise-compromise I'd choose would be proactive: I'd have to backdoor for my government from the start, and publicly disclose that there's a backdoor, so I'm not misrepresenting to my users. Which would mean dramatically less adoption, a lot of privacy&secury people cursing it/me, and eventually the backdoor would also be exploited by parties other than the intended.)
And also, I don't have the stomach for adversaries that would include foreign state dirty-tricks agencies.
Most ostensible security solutions on the market are obviously weak, or just plain BS. The ones that might not be, I don't see how they don't run into the same barriers.
News flash: they do. They just see their users as $$$ or don't give a damn. And their users don't care/don't know because they just want piece of mind or legal risk transferrance.
Legally speaking, if you get right down to it, privacy is de facto illegalized, and the old aphorism about "if you make a country where witchhunts are illegal, the population will be 3 civilly minded libertarians, and the rest witches" applies.
Abandon all hope, ye who enter here; or just realize your dream is effectively only realizable for the exact type of people you don't trust to have it. Then find another line of work.
other countries do this and wonder why they aren't centers of technical innovation. why would anyone working on a privacy-centric tool, after seeing this, base themselves in .fr?
So let's say I open up a night club. I have to abide the laws and regulations, and make sure things like the following: Minors aren't getting in or being served alcohol, that people aren't selling drugs there, that prostitutes aren't doing business there.
If undercover agents come by, and discover that minors are purchasing alcohol - the business will get fined, and likely banned from selling alcohol for some time.
If I, the owner, continue to ignore authorities and flat out refuse to cooperate, and there are new busts - I would expect to face charges. The joint would likely get shut down, and I could be liable. If things are severe enough, I'll likely be investigated for running a criminal enterprise there.
Obviously there are differences in how things are regulated in the different countries - but in countries where the CEO assumes total responsibility, and the buck stops there - it would make sense that the CEO will get charged with those sort of things, if the company has not done enough to cooperate or moderate their product and users.
Lets say I open up a grocery store. Criminals start buying their food and bookkeeping supplies there. The police discover this. Should I be held liable for fueling and enabling these criminals?
the crux of the problem here is that the french police asked for their purchase history, and you said "sorry, i already gave them to the Russian fsb" ;)
So money laundering, drugs, terrorism and child porn plus some others for good measure. Were they deliberately trying to invoke all four horsemen of the infocalypse, or is that a side effect?
Had they sticked with just one I may have been less likely to view it this as an authoritarian attack on privacy and freedom of speech.
Telegram is being partially punished for allowing non main stream media flourish: German #RKIfiles today proof that vaccination pressure and lock downs where politically motivated, but criticized by RKI’s scientific personal. I learned this already 4 years ago, from Telegram channels where scientists and journalists where not censored! Now Durov has to pay that bill. But maybe Durov should have also cooperated with crime investigations! But we all know that this power to read chats would have been abused by governments! What’s poor Durov going to do???
Telegram was never properly end-to-end encrypted. The way this works is Telegram client sends stuff to the server over client-server encryption. The service provider stores it on server's disk in Netherlands. Since Netherlands is not US, to NSA's hacking team Tailored Access Operations, hacking the server is considered 'fair game', i.e. there are no restrictions. When they hack the server they can read the life of 900,000,000 telegram users. It's that simple.
You shilling for Telegram's tech-billionare who got caught for hosting child porn for closer to a decade is almost as sad as Telegram's sad state and Durov's future.
> When they hack the server they can read the life of 900,000,000 telegram users. It's that simple.
[Edit: undo blunder]
I have now come to realize (based on [1]) that Telegram's platform was not secure by default, nullifying my arguments here. This discussion has also led me to question the viability of one of my own projects, as it, too, encrypts at disadvantageous points in the pipeline. Hmmm. Sorry for my mistakes here!
Bullish situation, Durov is being targeted mainly because it's not explicitly and collaboratively affiliated with the NATO block.
Terrorism, fraud and child porn are as present on Whatsapp, Facebook and other platforms, Facebook even instrumental in the Myanmar genocide (2017) and yet I haven't seen Zuck ever being detained anywhere at any time.
As a Telegram user, however, Telegram is just great as a chat app. It's lightyears ahead of everything else.
“ French authorities believe that Telegram, under Durov’s leadership, became a major platform for organised crime due to its encrypted messaging services, which allegedly facilitated illegal activities. ” One could replace Telegram with any other products and find abuse by users of the products to concoct a reason to arrest anyone. This is what an authoritarian regime would do. It’s shocking to see it becomes part of the playbook of the French government.
Telegram's E2EE isn't available for group chats. It's not on by default for other chats, so most or all of your chats are probably just transport encrypted. Further, they rolled their own crypto (bad), MTProto2, which has a number of problems (but is not necessarily broken)
This places Telegram's security stance below that of even Instagram or Facebook (which also has optional E2EE chats, but uses the Signal protocol, which is considered better than MTProto2.)
I think they don't support cross-device syncing or automatic backups of E2EE chats, so it's about minimising friction by default. Telegrams main focus is UX, unlike Signal which prioritizes security at the expense of UX.
There's nothing in Telegram that couldn't be implemented with security in mind. They just lack the expertise in designing cryptographic protocols that offer those features, and Durov is too proud to consult experts in helping improve the design. Well, now he gets to enjoy French hospitality.
E2EE is optional on Telegram and not really convenient. You can create a private chat which will be E2E encrypted but this takes a few taps and pins to device. Most of the users don't bother. And the main target is not personal chats but channels which can be easily discovered and followed.
This is not an e2e battle, this is the hunt for channel owners. Frankly it is too easy to make a "local chat" and sell stuff. Durov has the data and this is his weakness and strength. Platform is viral but there are too much for one hands.
> French authorities believe that Telegram, under Durov’s leadership, became a major platform for organised crime due to its encrypted messaging services, which allegedly facilitated illegal activities
Nope. It's because of the large telegram group chats for the most part and those aren't E2EE. The only chats that can be E2EE on telegram are one to one DMs and that's only if you manually enable it.
i.e. They refused to turn over chat records that they have server side access to.
It's worth noting that they could do E2EE here for group chats but they don't. Signal does it but telegram wholesale refused to.
I don't why you were downvoted. Because that is exactly what is going on. EU is generally on a open-encryption-by-warrant path and this is a great example of applying some pressuring.
Should we enable the Iranian polotical refugee to communicate in secret with her family ?
Should we by warrant enable the possibility to open up messages when pedofiles sell or buy children for sex ?
Many will disagree with you because your stance does not take an all-or-nothing approach, so good on you for asking these tougher questions. We have the same sort of questions in the US, though a very specific group would love to turn this who country into a police state (they even have their own flag). I am a big privacy advocate, but also recognize that it is ripe for abuse by bad actors, so the solutions are muddy and need some serious beta testing before they can be called solutions. This where people tend to get lost in the debate and start responding with emotions rather than reason, which unfortunately does not progress us a viable solution. I see the same thing happening in the EU, but from afar, so my perception is likely skewed.
This could easily pivot into “all e2e not officially sanctioned is bad because think of the children”if those public channel users use e2e to get the nasty bits done and it’s provable. They (5 eyes countries) really want this to happen, even above all the stuff they already tap into legally at switching centers, network nodes, and social media companies.
So he left Russia over political interference on his companies, but then he is arrested in France and the Russian state intervenes in his favour? What gives, does he want government interference or not?
Just another guy to be traded to Russia in the next prisoner swap.
It's interesting to me how the bots are working overtime downvoting comments and plastering the same lawfare justification against the CEO of Telegram to anyone who disagrees with this arrest.
What ever the laws of an increasingly authoritarian France; Isn't it fascinating to note that Dictatorships like China and Iran and Saudi Arabia at least are content with jailing their citizens that post "illegal" things while putting up a firewall?
Yes, he was a French citizen. So what. Even if French law demands of a digital public square provider to moerate a billion people at the behest of its governmental censors, we shouldn't support France in its decision to arrest its citizen for providing us with a platform that protects privacy and free speech.
I hope I’m wrong, as I didn’t even know who Pavel Durov was until now, but the first thought that came to mind was that it’s a show of power to intimidate Elon Musk.
By all accounts, this looks to me like it's nothing else but a politically motivated decision - and it gives ever more credence to my take that there is no freedom of speech in Europe
As a side note, this is somewhat reminiscent of how the Catholic Church operated at the height of its power - do what we say or burn at the stake. We should then not be surprised that no longer does technological innovation happen in Europe - at least one that's actually important or has the potential to be
> this is somewhat reminiscent of how the Catholic Church operated at the height of its power
I think the most surprising thing I've realized as I've gotten older is the way in which these cultural and legalistic norms, even 100 years+ bygone, still have considerable influence on modern cultures.
Europe, and particularly France, is very Catholic, ex-Holy Roman brained. US is very protestant brained. China cribs tons of stuff from their old imperial system.
>I think the most surprising thing I've realized as I've gotten older is the way in which these cultural and legalistic norms, even 100 years+ bygone, still have considerable influence on modern cultures.
Oh yeah, definitely. I've noticed similar patterns
Anyway, and I know this is completely random, but I think you'd enjoy reading Dominion: The Making of the Western Mind by Tom Holland. It gives a nice overview of the influence of Christianity on modern Western civilization; though, after reading Bertrand Russell's A History of Western Philosophy (which does, of course, have flaws of its own), I do think Hollnad places a bit too much importance on the influence of Christianity, as it is not the only thing that has influenced modern Western civilization, nor did Christianity develop in a vacuum - completely uninfluenced by the societal pressures of the time it found itself existing in - which I think Holland forgets to mention as you continue reading the book deeper and deeper. Nonetheless, both are great books and I recommend them
It is unrelated to technological innovation (in the short run). I expect the same result in US. Europe is not united enough to have a separate from US opinion.
I really hope the US doesn't become like Europe (Europe in general, as I know it's not an actual untied enough polity at the moment) when it comes to free speech, and, come to think of it, in many, many other aspects as well.
It may sound funny to read, especially if you're an American, but I do still see America as the city upon the hill. I've lived in America, and I'm currently in (sigh) Europe, but I wish to return to that shining city in the future. It may also sound even funnier to read, but I probably love America more than a surprising amount of Americans (not a dig directed to any obvious or non-obvious group within the country currently), even though I wasn't born there. The US has just left a huge impression on me.
Law enforcement is so ill equipped in this digital age. It’s embarrassing. Instead of evolving, they are punishing the people creating services that benefit everybody.
Reminds me of the Tornado Cash service. Used by normal citizens to anonymize transactions on the blockchain; and used by a smaller percentage of criminals. Law enforcement is inept in this digital age. So instead of catching the actual criminals they pursue the people making the service.
It’s all for nothing of course. People were apparently brought up on charges. None of them actual criminals as I recall. Just got thrown the book at them. US government even issued “sanctions”, but they were useless.
Telegram founder Pavel Durov arrested at French airport - https://news.ycombinator.com/item?id=41341353 - Aug 2024 (968 comments)